mcp-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes multiple examples that embed API keys/tokens/passwords directly in command-line args, headers, DSNs, and project config files (and suggests committing project-scoped configs), which can cause an agent to output secret values verbatim rather than keeping them in environment variables or secure stores.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs adding HTTP MCP servers pointing at public services (examples: GitHub, Notion, Sentry) and shows using MCP resources (e.g., "Analyze @github:issue://123" and "/mcp__github__list_prs"), which means the agent will fetch and interpret content from external, potentially user-generated public services as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs Claude to connect to MCP HTTP endpoints that are contacted at runtime and can deliver MCP "prompts" which become slash commands (e.g., https://api.githubcopilot.com/mcp/), meaning external content at that URL can directly control agent instructions.