mcp-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and load public web content (e.g., https://modelcontextprotocol.io/sitemap.xml and https://raw.githubusercontent.com/modelcontextprotocol/.../README.md) and to connect to arbitrary MCP server URLs during evaluations, so it ingests untrusted third‑party content that can materially influence tool selection and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The evaluation harness (scripts/evaluation.py) can connect at runtime to a remote MCP server URL (e.g., https://example.com/mcp) and loads that server's tool definitions via the connection which are then passed into the LLM as "tools", meaning remote content fetched from that URL directly controls the agent's available instructions/tooling and can cause remote code/tool execution.