ai-core

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly lets the client connect to arbitrary external URLs (e.g., fetchServerSentEvents/fetchHttpStream dynamic URL/options in ai-core/custom-backend-integration/SKILL.md) and the runtime consumes streamed AG-UI events (ag-ui-protocol/SKILL.md) including TOOL_CALL and message chunks (chat-experience/tool-calling SKILLs), meaning untrusted third‑party backends or public URLs can send content that the agent will parse and which can drive tool calls and next actions.