mcp-builder

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit examples of embedding API keys and bearer tokens directly in commands and HTTP headers (e.g., -H "Authorization: Bearer token123", -e GITHUB_TOKEN=ghp_xxx), which encourages the agent to output secrets verbatim and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The evaluation guide explicitly instructs the agent to fetch and inspect external documentation and live MCP server content (see "Step 1: Documentation Inspection" — "fetch additional information from the web" — and "Step 4: Read-Only Content Inspection" which directs using MCP tools to read users/channels/messages), and the examples reference GitHub and SSE/HTTP transports that connect to arbitrary public URLs (e.g., https://example.com/mcp), meaning the agent will read untrusted, user-generated third‑party content.