day2-supplement-mcp

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Although the content is an instructional guide and contains no explicit malicious payloads or exfiltration commands, it directs users to run third‑party packages via npx, add stdio MCP servers (including filesystem access), and install community plugins/marketplace items — all of which create clear supply‑chain, remote code execution, and local data‑access vectors that could be abused to exfiltrate credentials or run arbitrary code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs connecting and using MCP servers that fetch and read open third‑party/user‑generated content (e.g., Block 2’s Fetch example pulling https://news.ycombinator.com and Block 3/4 references to GitHub/registry, Slack, Notion, and community plugins), so the agent will ingest untrusted external content as part of its workflow.