adk-cheatsheet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly documents and demonstrates web-facing tools (e.g., "Built-in Tools" listing google_search and load_web_page and example: Agent(tools=[google_search], ...)) and even instructs fetching the ADK docs index via curl (https://google.github.io/adk-docs/llms.txt), showing the agent is expected to ingest open/public web content that could carry untrusted instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains explicit runtime examples that fetch external agent definitions and connect to remote tool servers — e.g., RemoteA2aAgent.agent_card fetching at "http://remote-host:8001{AGENT_CARD_WELL_KNOWN_PATH}" and MCP SSE connection "https://mcp.example.com/sse" — which, if used at runtime, would load remote agent instructions or expose remotely-executed tools and thus can directly control agent prompts or execute code.