letta-fleet-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows loading prompts, memory blocks, folders, tools, and MCP server content from external buckets and URLs (e.g., "from_bucket" supabase sources in reference/fleet-config.md and external MCP server_url examples like https://sse.firecrawl.dev in SKILL.md), meaning untrusted third-party/user-generated content can be ingested at runtime and directly alter system prompts, tool code, memory, and agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The fleet config includes an MCP server with server_url "https://sse.firecrawl.dev" and agents reference mcp_tools on that server (e.g., "scrape","crawl"), which is invoked at runtime to execute external tool logic that can directly control agent behavior.