mcp-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs connecting to external MCP servers via SSE/HTTP/WS (e.g., https://mcp.asana.com/sse, https://mcp.github.com/sse, and arbitrary HTTP URLs) and the SKILL.md and references/tool-usage.md describe agents that query those third-party (often user-generated) responses and autonomously act on or chain tool calls based on the returned data, which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains stdio server examples that run "npx -y @modelcontextprotocol/server-filesystem" (seen in the stdio examples and filesystem configuration), which fetches an npm package at runtime and executes remote code, making it a required runtime dependency.