gram-functions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests and executes user-uploaded function code (users upload ZIP archives with manifest), and the runner performs "Lazy Asset Loading" by fetching code via a pre-signed URL from Tigris blob storage (downloaded and unzipped in the runner), meaning untrusted third-party content is read and can directly influence tool execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The runner downloads user code at runtime from pre-signed URLs (fetched from the Gram server) pointing to Tigris blob storage, which are unzipped and executed as subprocesses—meaning the fetched external content directly controls code executed by the agent (pre-signed Tigris blob storage URLs).