Third-Party Content Inclusion

Third-party content inclusion happens when a skill loads resources from external servers that the skill author does not control. This includes JavaScript from CDNs, iframes embedding external pages, CSS from third-party hosts, fonts, images loaded from arbitrary URLs, and API responses that include executable content. The skill author trusts these resources at publication time, but they can change at any time without the author knowledge or consent.

This is distinct from external downloads (which the skill explicitly fetches and runs) because third-party content inclusion is often incidental. A skill might render a UI that includes a script tag pointing to a CDN. The script is a formatting library today, but if the CDN is compromised, it becomes malware tomorrow. The skill code never changes. The threat comes from the content it references.

Aguara detects four patterns of third-party content inclusion: external script loading, iframe embedding, dynamic resource fetching from untrusted origins, and content that changes the execution environment based on externally-loaded data.

In traditional web development, third-party content inclusion is managed through Content Security Policy (CSP), Subresource Integrity (SRI), and sandboxed iframes. The browser provides a security boundary. In the AI agent ecosystem, those boundaries often do not exist.

When a skill includes third-party content, that content runs with the skill full permissions. There is no CSP equivalent for MCP tools. There is no sandboxed iframe for agent-side rendering. A compromised third-party script included by a skill can access everything the skill can access, which includes the agent context and capabilities.

The trust chain extends far beyond what users realize. You install a skill from a trusted author, but that skill loads a JavaScript library from a CDN, which loads a polyfill from another CDN, which loads analytics from yet another domain. Each hop in this chain is a potential point of compromise, and none of them are visible in the skill own code.

Use Subresource Integrity (SRI) for every external script or stylesheet your skill loads. SRI pins the content to a specific hash, so even if the CDN is compromised, the browser will reject modified content. If the resource does not support SRI (because it changes frequently), host a copy yourself instead of loading it from a third party.

Avoid iframes and external content embedding whenever possible. If you must embed external content, sandbox the iframe aggressively (sandbox="" with only the specific permissions needed). Better yet, fetch the content server-side, sanitize it, and render it yourself. This gives you control over what reaches the user.

As a user, check whether skills load resources from external URLs. Look at the skill source for script tags, iframe tags, fetch calls to external domains, and image URLs pointing to third-party hosts. Prefer skills that bundle all their resources locally rather than loading them from the network at runtime.