GitHub Agentic Workflows MCP Configuration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly configures HTTP/SSE MCP servers and shows the agent fetching and consuming remote content (e.g., discoverHTTPTools calling ${server.url}/tools/list, the "github-api" HTTP example, and the SSE "realtime-monitor" event stream), meaning untrusted third‑party tool definitions and streamed events from arbitrary URLs can be read and used to register/invoke tools and influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill performs runtime HTTP/SSE requests to external MCP servers (e.g., https://mcp.github.com/v1) — it fetches /tools/list and registers those tool definitions and calls /tools/call at runtime, so remotely-hosted content directly controls the agent's available prompts/tooling and results in remote code/actions being executed.