claude-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly configures and instructs runtime use of external MCP servers and web tools (see references/mcp-integration.md entries for "brave-search", "puppeteer" and "Remote MCP Servers" with arbitrary "url" fields) and allows installing plugins from GitHub or arbitrary URLs (see references/hooks-and-plugins.md), meaning the agent will fetch and interpret untrusted public web content and repository/plugin data that can materially influence subsequent tool calls and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes explicit runtime fetch/execute patterns that can control prompts or run remote code — e.g., fetching documentation into context via https://context7.com/websites/claude_en_claude-code/llms.txt?topic=&tokens=5000 and launching MCP servers that run remote packages with npx (e.g., npx -y @modelcontextprotocol/server-filesystem), both of which would be fetched/executed at runtime and can directly affect agent instructions.