FastMCP Development

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes a code example that embeds a bearer token literal (BearerAuth(token="your-token")), which encourages placing secrets directly in generated code/requests and thus requires the LLM to handle/output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes multiple required workflow examples that fetch and ingest arbitrary external web content and remote MCP servers (e.g., "OpenAPI Integration" in SKILL.md uses httpx.get("https://api.example.com/openapi.json"), references/tools.md defines fetch_data that GETs arbitrary URLs, references/resources.md has async fetch_api calling external APIs, and composition/proxy examples use Client("https://api.example.com/mcp") / FastMCP.as_proxy), and this externally-sourced content is then read/sampled or used to construct server behavior—creating a clear vector for untrusted third-party content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime fetches that can directly shape agent behavior — e.g., spec = httpx.get("https://api.example.com/openapi.json").json() used with FastMCP.from_openapi to generate tools/prompts, and Client("https://api.example.com/mcp") used to proxy/mount a remote MCP server — both are external URLs fetched/connected at runtime whose content controls server capabilities.