MCP Architecture Expert

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly exposes and expects the agent to read resources from open third-party sources—e.g., the "Common MCP Servers" section lists GitHub, Slack, Google Drive and "Puppeteer
• Web scraping" and the Resources examples show URIs like "github://issues" and "file:///docs/api-spec.md"—which are untrusted/user-generated inputs the agent will read and can influence tools and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill demonstrates running remote packages at runtime (e.g., "npx @modelcontextprotocol/server-github" and "pip install mcp-server-slack" / "python -m mcp_server_slack"), which fetch and execute code from external registries (and related repo https://github.com/modelcontextprotocol/servers) that can supply prompts/resources to the agent and thus directly control prompts or execute code.