mcp-builder

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content contains an explicit evaluation harness that collects tool inputs/outputs (including data returned by MCP tools and any environment-provided secrets) and sends them to a remote LLM service (Anthropic) while instructing the model to include the exact inputs/outputs in summaries — creating a built-in data-exfiltration vector and an easy avenue to harvest sensitive credentials or other secrets; additionally, the guides show mechanisms (ctx.elicit) that can solicit API keys from users — both are high-risk, dual-use features that can be abused to exfiltrate secrets to external servers.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md and reference docs explicitly direct the agent/developer to fetch and study public web pages (e.g., https://modelcontextprotocol.io/sitemap.xml and raw.githubusercontent.com/.../README.md in Phase 1.2 and the evaluation guide), meaning the agent will ingest untrusted public third-party content that can influence tool design and runtime actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs agents to WebFetch external docs at runtime (e.g., https://raw.githubusercontent.com/modelcontextprotocol/python-sdk/main/README.md and https://modelcontextprotocol.io/sitemap.xml), meaning fetched content would be injected into the agent's context and directly control prompts/instructions as required documentation — a runtime external dependency that can influence agent behavior.