cursor-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill configures external MCP servers that the agent will call and interpret as tools (see SKILL.md and references/http.md / references/sse.md / references/inline-config.md which show mcpServers with external URLs like https://mcp.example.com and notion), so untrusted third‑party responses could be ingested and influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The stdio example spawns "npx @modelcontextprotocol/server-github", which causes npx to fetch and execute a remote npm package at runtime (executing external code inside the agent), so this runtime dependency can directly run code in the agent environment.