ai-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "MCP Client" section shows the agent creating an MCP client to connect to an arbitrary remote URL (e.g., createMCPClient({ transport: { url: "https://my-mcp-server.com/sse" } })), fetching tools via mcpClient.tools(), and then using those runtime-discovered tools in generateText, which clearly ingests untrusted third-party tool/content that can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The example shows createMCPClient connecting to "https://my-mcp-server.com/sse" and calling mcpClient.tools() at runtime to fetch tool definitions that are then injected into generateText()/the agent (thus remotely controlling available prompts/tool execution), so this URL represents a runtime dependency that can directly control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill documentation includes a concrete, payment-specific tool example ("processPayment") that is explicitly defined to "Process a payment" with an execute handler calling processPayment(amount, recipient). This is a specific financial-operation tool (payment processing) rather than a generic capability, so it grants direct financial execution authority.