microsoft-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required Create workflow (foundry-agent/create/create.md, Steps 3–4 "Browse and Select Sample" and "Download Sample Files") explicitly instructs the agent to call the public GitHub API and fetch sample files (and other parts enable Web Search / Bing Grounding and external MCP/toolbox endpoints), meaning it ingests untrusted public web content that the agent is expected to read and act on, which can materially influence subsequent code, deployment, and tool-use decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs runtime downloads of sample code via the GitHub API (e.g., https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/{selected_sample_path}) and raw download URLs (curl ... .download_url) and then uses that code to build/run hosted agents, so remote content fetched at runtime can execute and directly control agent behavior.