langgraph-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests untrusted third‑party content — e.g., the Deep Agents built‑in "web_search" tool, the MCP Integration examples that load remote tools via streamable-http (including web search and GitHub MCP servers), and the functional API's fetch_data(url) (requests.get) — and those results are consumed by agents to drive routing, tool calls, and decision-making.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly shows MultiServerMCPClient connecting at runtime to a remote MCP endpoint (e.g., "https://mcp.example.com/mcp"), which returns/hosts tool definitions and/or runs tool servers that the agent loads and can execute, so this is a runtime external dependency that can directly control agent behavior.