laravel-plugin-discovery

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill calls an external LaraPlugins MCP server (https://laraplugins.io/mcp/plugins) and its GetPluginDetailsTool explicitly returns/readme content and package metadata from public packages—which the agent is instructed to review and use to make recommendations—so untrusted, user-generated third-party content can influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires the LaraPlugins MCP server at https://laraplugins.io/mcp/plugins at runtime, and its GetPluginDetailsTool explicitly fetches README/content and metrics that are injected into the agent context (i.e., remote content that can directly influence prompts), so this external URL is a runtime dependency that can control agent behavior.