mcp-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask users which env/auth options to "set" and "what values to use" and shows TOML examples with API_KEY = "value", which would require the LLM to accept and embed secret values verbatim into configs/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the assistant to open/fetch and read arbitrary URLs and GitHub repositories (see "If user provides a URL: Open/fetch that URL directly..." and "Inspect repo docs quickly..." in SKILL.md), which exposes it to untrusted public web content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires opening/fetching user-provided URLs at runtime and even mentions the specific GitHub repo https://github.com/upstash/context7 as a source to read install/launch instructions that directly determine prompts and configuration/commands, so this external content is a required runtime dependency that controls agent behavior.