declarative-agent-developer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Outsider free text can enter the LLM context via the MCP tool discovery/runtime path: the skill performs an MCP tools/list handshake against a user-supplied external MCP server URL, then inlines the returned tool description/metadata (outsider-authored text) into the agent’s plugin manifest, which the orchestrator then provides to the LLM as tool/function descriptions at runtime.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs runtime calls to user-provided MCP server endpoints (e.g., POST to <MCP_SERVER_URL>/.well-known/openid-configuration and POST to <MCP_SERVER_URL> for tools/list) and explicitly runs npx -p mcp-remote@latest mcp-remote-client <MCP_SERVER_URL>, which fetches and executes remote code and then inlines the returned tools into the plugin manifest (thereby directly controlling agent behavior), so these external endpoints/packages are required runtime dependencies.