opensearch-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and ingest untrusted public content (e.g., "uv run python scripts/opensearch_ops.py load-sample --type url --value https://example.com/data.json" in cli-reference.md and Docling's converter.convert("https://example.com/report.pdf") in document_processing_guide.md) and also enables web-search tools (ddg-search/WebSearchTool referenced in opensearch-launchpad and agentic_search_guide) that the agent will read and use to plan queries or drive actions, which meets the criteria for indirect prompt injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill declares runtime connectors that call external model endpoints — for example the Amazon Bedrock runtime URL used by the ML connector (e.g. https://bedrock-runtime.${parameters.region}.amazonaws.com/model/${parameters.model}/converse and https://bedrock-runtime..amazonaws.com/model/amazon.titan-embed-text-v2:0/invoke) which are invoked at runtime to execute remote model inference and are required for the agentic/dense-vector workflows.