langchain4j-mcp-server-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and examples (e.g., references/examples.md and SKILL.md) include a GitHubToolProvider that calls the GitHub API and HttpMcpTransport examples with arbitrary SSE/HTTP URLs (e.g., sseUrl/http transport), and the MCP client/tool provider integration (mcpClient.listTools(), getResource(), executeTool(), and AIAssistant with McpToolProvider) shows the agent will fetch and interpret public, user-generated content from external HTTP/GitHub servers as part of its workflow, which can materially influence tool selection and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Stdio transport runs remote packages/containers at runtime (e.g., the command "npm exec @modelcontextprotocol/server-everything@0.6.2" and the application.yml docker command "docker run ... mcp/github"), which fetches and executes remote code that can supply MCP tools/resources/prompts and thus directly control agent prompts or behavior.