mcp-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow explicitly requires fetching and studying public web pages (e.g., "https://modelcontextprotocol.io/sitemap.xml" and raw.githubusercontent.com SDK READMEs via WebFetch) as part of Phase 1 research, so the agent will ingest open, potentially user-generated third‑party content which can materially influence tool design and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The evaluation harness accepts a runtime MCP server URL (e.g., https://example.com/mcp) and fetches the server's tool definitions/results which are passed into the model as "tools" and used to drive tool_use calls, meaning remote content from that URL directly controls agent instructions and triggers remote code execution.