edgedb

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documentation shows the agent uses the Membrane CLI to connect to arbitrary external app URLs (e.g., membrane connection ensure "https://..."), to list actions from those connections (membrane action list) and to read clientAction objects including clientAction.agentInstructions (SKILL.md), meaning it consumes untrusted third‑party responses that can programmatically influence which actions the agent runs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs the Membrane CLI at runtime (e.g., membrane connection ensure "https://www.edgedb.com/") and the resulting connection object can include clientAction.agentInstructions returned from the remote service, meaning content fetched via the provided app URL (https://www.edgedb.com/) could directly supply instructions that control the agent.