mcp-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs fetching and loading public web docs (e.g., https://modelcontextprotocol.io/sitemap.xml and raw.githubusercontent.com README.md) and directs the developer/agent to research API/framework docs via WebFetch and web search, meaning the agent will ingest untrusted, user-generated public content that can influence tool design and runtime decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The evaluation script accepts and uses an external MCP server URL at runtime (e.g., https://example.com/mcp) to fetch tool definitions via connection.list_tools and passes those tools into the model—allowing that remote endpoint to directly influence agent prompts/tooling and trigger tool execution.