claude-code-expert

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required setup and examples include adding MCP servers in .mcp.json (e.g., server-puppeteer and server-github entries shown in the .mcp.json example and the "Add necessary MCP servers in .mcp.json" checklist), which enables browsing/public GitHub and other third‑party content to be fetched and fed into the agent's context and thus could allow indirect prompt injection from untrusted user-generated web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's .mcp.json invokes npx to fetch and run remote npm packages at runtime (e.g., "npx -y @modelcontextprotocol/server-github", "npx -y @modelcontextprotocol/server-postgres", "npx -y @modelcontextprotocol/server-puppeteer", "npx -y @modelcontextprotocol/server-filesystem", "npx -y @anthropic/mcp-server-slack"), which will download and execute external code that can inject model context or control agent behavior.