cxas-agent-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The tdd-writer sub-agent explicitly accepts arbitrary sources including URLs and instructs "read the file or fetch the URL (use WebFetch for URLs)", and those fetched third‑party contents are parsed and used to generate the authoritative TDD (which drives scaffolding, tools, callbacks, and evals), so untrusted web content can materially alter agent behavior and tool use (see agents/tdd-writer.md "For items with path, read the file or fetch the URL").