mcp-server-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's documentation and workflows (SKILL.md "MCP Server Installation Patterns", "Common MCP Servers", and templates/claude-desktop-config.json) explicitly install and configure public third‑party MCP servers (e.g., @modelcontextprotocol/server-fetch, server-brave-search, server-puppeteer, server-github and git clone from GitHub / npx/npm installs) that will fetch and ingest open web/social/API content and are expected to be used by the agent as part of its runtime toolset, so untrusted external content can influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs npx/npm installs and git clones that fetch and execute remote MCP server code at runtime (e.g., git clone https://github.com/org/mcp-server-name.git and npx -y @modelcontextprotocol/server-filesystem which pulls packages from the npm/GitHub registries), so those external repos/packages are runtime dependencies that execute code and can influence agent behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs installing global packages, editing and overwriting user config files, managing SSH keys/connections, restarting processes and explicitly claims to "auto-bypass permissions for automation," so while it doesn't request sudo or create users, it actively directs state-changing actions and implies bypassing security controls.