claude-peers-mcp

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). bun.sh and ara.so look like legitimate vendor/project sites, but the flow requires cloning and executing an unverified GitHub repository (louislva/claude-peers-mcp) and running it with a runtime and "dangerously" flags — executing unreviewed code that can run a local server and access channels is a meaningful security risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs users to git clone and run code from https://github.com/louislva/claude-peers-mcp.git, which fetches external code that is then executed (bun ~/claude-peers-mcp/server.ts) and can inject messages into Claude sessions, so it directly executes remote code and can control agent prompts.