mcp-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly configures and uses MCP servers that fetch and act on arbitrary public URLs (e.g., server-brave-search, server-puppeteer, server-fetch listed in references/configuration.md and examples in references/gemini-cli-integration.md and SKILL.md which show piping prompts like "Search ..."/"Take a screenshot of https://example.com"), so the agent will ingest and act on untrusted third‑party web content that can influence tool selection and execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime configuration spawns npx to run MCP server packages (e.g., "npx -y @modelcontextprotocol/server-memory" from .claude/.mcp.json), which will fetch and execute remote code from the npm registry (e.g. https://registry.npmjs.org/@modelcontextprotocol/server-memory), so external content is fetched at runtime and directly runs code the skill depends on.