agent-framework-azure-ai-py

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly includes hosted web-search and MCP tools in its required workflows (e.g., HostedWebSearchTool in SKILL.md/references/tools.md and HostedMCPTool / MCPStreamableHTTPTool examples referencing public endpoints like https://learn.microsoft.com/api/mcp and https://api.github.com in references/mcp.md), which cause the agent to fetch and interpret open/public third-party content as part of its operation and could therefore enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill registers MCP tool endpoints (e.g., https://learn.microsoft.com/api/mcp) via HostedMCPTool / MCPStreamableHTTPTool which are contacted at runtime to provide tool definitions/instructions that the agent will use to drive behavior, so this external URL can directly control prompts or trigger remote-executed actions.