truefoundry-notebooks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and manifest templates explicitly fetch and ingest untrusted external content at runtime — e.g., artifacts_download from the HuggingFace Hub, build_source:type=git repo_url, remote OpenAPI specs for MCP servers, and agent_card_url/hosted-a2a-agent URLs (see SKILL.md and references/manifest-schema.md / references/api-endpoints.md) — which the agent is expected to read/convert into tools or deployments and therefore could carry indirect prompt-injection instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote resources at runtime that can control agent behavior—e.g., MCP OpenAPI specs like "https://api.weather.example.com/openapi.json" (remote spec is fetched and converted into MCP tools) and hosted agent cards like "https://research-agent.example.com/.well-known/agent.json" (agent_card_url is fetched at runtime)—which can directly alter prompts/tools exposed to the agent.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly includes commands that use sudo to install system packages (e.g., "sudo apt update" / "sudo apt install -y ...") and advises adding build scripts that perform privileged system modifications, which directs the agent to modify the host state with elevated privileges.