mcp-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit example env fields and connection strings containing API tokens and secrets (e.g., "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_xxxx", "xoxb-xxxx", and "postgresql://user:pass..."), which encourages the LLM to produce or insert secret values verbatim into configuration files/commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows configuring MCP servers that connect to public sources (e.g., "brave-search" in the Popular MCP Servers section and "github" server examples) which would let the agent fetch and read untrusted, user-generated web/GitHub/search content via MCP tools and thus potentially accept indirect instructions from those sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and execute remote packages (e.g., "npx -y @modelcontextprotocol/server-filesystem" and "npm install @modelcontextprotocol/sdk" / "pip install mcp"), which will retrieve and run code from external registries (npm/PyPI) that the MCP servers rely on, so remote content can execute code and influence the agent.