investigating-agentforce-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime pipeline fetches outsider-authored free text from the target Salesforce org’s metadata—e.g., Flow Metadata (complexvalue) and Apex Body/SymbolTable—via Tooling/Data API SOQL calls in scripts/fetch_soql.py (e.g., fetch_flow_metadata() → Flow.Metadata, fetch_apex_bodies_by_*() → ApexClass.Body), and then renders/embeds that content into the LLM-visible architecture.md/tree JSON context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill, at runtime, calls the org's Salesforce REST/Metadata endpoints (via the sf CLI / rest_client against the org instance URL, e.g. https://.salesforce.com) to retrieve GenAiPromptTemplate bodies which are injected into the metadata tree and therefore can directly control prompts/instructions.