claude-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Managed Agents and tool-use workflows explicitly mount and read external GitHub repositories and fetch web content (see curl/managed-agents.md examples showing "resources" with "github_repository" mounts and the SKILL.md instructions to "WebFetch" live docs and use WebFetch/WebSearch/WebFetchTool server-side tools), which are untrusted, user-provided third-party sources that the agent is expected to read and that can materially influence its tool calls and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly allows declaring MCP server URLs (e.g., https://my-mcp-server.example.com/sse and public MCP endpoints like https://api.githubcopilot.com/mcp/) in agent configs and mounting GitHub repos (e.g., https://github.com/owner/repo) at session start — these URLs are contacted at runtime to provide tool definitions or fetch code that the agent can execute or use to shape prompts, so they constitute runtime external dependencies that can execute remote code or control agent behavior.