mcp-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's example configurations explicitly place API tokens and passwords (e.g., "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_xxxx", "SLACK_BOT_TOKEN": "xoxb-xxxx", "postgresql://user:pass@...") into JSON/env fields and command args, which instructs embedding secrets verbatim and therefore creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly configures MCP servers that pull content from public third-party sources—e.g., the "brave-search" server (web search results) and the "github" server (public/user-generated GitHub repos)—which the agent is expected to read and act on as part of its workflow, allowing indirect prompt injection.