mcp-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt tells the agent to collect API keys/tokens via AskUserQuestion and includes examples that embed credentials verbatim in CLI flags/HTTP headers (e.g., --header "Authorization: Bearer TOKEN"), which would require the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to use WebSearch/WebFetch on public vendor READMEs and the MCP Registry API (see references/search.md — "Step 2: Fetch Installation Details" and the registry URL) to fetch and interpret open/public third-party content which can change installation/configuration actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs adding and invoking remote MCP servers and running npm packages at runtime (e.g., contacting https://api.githubcopilot.com/mcp/ or running npx -y @modelcontextprotocol/server-postgres), which will fetch/execute remote code and/or return tool outputs that can directly influence agent prompts and behavior.