agents-connect

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to connect to external MCP servers and OpenAPI endpoints and to call/list tools (e.g., get_gateway_tools using session.list_tools, session.call_tool and the x_amz_bedrock_agentcore_search semantic-search flow) and also to perform direct API calls in agent code (Path D with @requires_access_token / api_key), so the agent will fetch and interpret untrusted third‑party responses that can influence tool selection and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime code uses an injected gateway endpoint (AGENTCORE_GATEWAY_MYGATEWAY_URL, e.g. https://mcp.example.com/mcp) to list and call MCP gateway tools — fetching tool definitions and invoking remote tool executions at runtime, which directly affects agent behavior and executes remote code.