mcp-management

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to collect required API keys/tokens via AskUserQuestion and includes examples of passing Authorization headers (e.g., --header "Authorization: Bearer TOKEN"), which implies embedding secrets verbatim into commands/requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's search workflow (references/search.md) explicitly instructs the agent to perform WebSearch/WebFetch on vendor GitHub READMEs and to query the public MCP Registry API (https://registry.modelcontextprotocol.io/...) to fetch installation details and configuration, meaning the agent will ingest untrusted third-party web content that can directly influence install/config commands and next actions (prompt-injection risk).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime commands that fetch and run remote MCP servers/packages (for example "npx add-mcp https://mcp.stripe.com" and "npx -y @modelcontextprotocol/server-postgres"), so the URL https://mcp.stripe.com is used at runtime to connect to a remote server that can provide prompts/tooling to the agent or cause remote code to be executed.