microsoft-foundry

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests public third-party content as part of required workflows — e.g., it mandates listing/downloading samples via the GitHub API (GET https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/{sample_browse_path}), requires fetching and reading external docs (VS Code Tool Catalog) before guiding the user, and uses WebSearchPreviewTool/Bing Grounding and external MCP/toolbox endpoints — all of which are untrusted public content that the agent must read and that can influence tool use and next actions, creating an indirect prompt-injection surface.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime GitHub API calls (GET https://api.github.com/repos/microsoft-foundry/foundry-samples/contents/{selected_sample_path}) and then downloads sample files via the returned .download_url (curl -sL "$url" -o "$filepath"), which fetches remote code and agent definition files that directly control agent instructions/behavior and are required by the workflow.