The Agent Skills Directory

Data Exposure & Exfiltration (MEDIUM): SQL Injection vulnerability detected in templates/full-server.ts. The search-database tool accepts a table parameter that is directly interpolated into a SQL string (SELECT * FROM ${table} ...). This allows an attacker to query any table in the D1 database, bypassing intended access controls.
Data Exposure & Exfiltration (LOW): Potential SSRF (Server-Side Request Forgery) in references/tool-patterns.md. Pattern 6 (Streaming Responses) demonstrates a tool that fetches a URL directly from user-provided input without domain whitelisting or sanitization of the target origin.
Indirect Prompt Injection (LOW): The skill templates create a vulnerability surface for indirect prompt injection as they ingest untrusted data and provide powerful capabilities without sanitization.
Ingestion points: Tool arguments such as table, query, and url in the generated index.ts files.
Boundary markers: None implemented in the provided templates to distinguish instructions from data.
Capability inventory: The templates provide tools with database read/write access (env.DB) and external network fetching capabilities (fetch).
Sanitization: Absent. SQL identifiers and URL origins are not validated against allowed whitelists.
Unverifiable Dependencies & Remote Code Execution (LOW): The scripts/init-mcp-server.sh script downloads and installs packages from npm. While these are industry-standard packages, the script lacks checksum verification or strict lockfile enforcement during the initialization phase.
Command Execution (SAFE): The scripts/init-mcp-server.sh script performs standard project initialization tasks such as directory creation, file copying, and package installation. It does not execute arbitrary remote code or obfuscated commands.

typescript-mcp