gemini-managed-agents-api

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md create-agent workflow explicitly allows mounting remote Google Cloud Storage buckets into the agent workspace ("sources": [{"type":"gcs", "source":"gs://..."}]), enables web-facing tools like "google_search" and "url_context", and permits configuring external MCP servers and an open network allowlist — all of which let the agent fetch and interpret untrusted third-party content that can influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill examples mount remote skills from a Google Cloud Storage path (gs://your-agent-bucket-name/skills) into the agent workspace and allow configuring an external MCP endpoint (https://mcp.yourcompany.com/api), both of which are runtime-loaded external dependencies that can provide code or instructions that directly control agent behavior.