mcp-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "search" phase explicitly instructs the agent to run websearch/webfetch and "always search online" (e.g., GitHub, npm, https://github.com/modelcontextprotocol, grep.app, context7) to discover MCP servers, and those discovered third‑party pages are read and used to install/configure MCPs and update opencode.json (documenting new MCPs), so untrusted external content can directly influence tool selection and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx to fetch and run remote npm packages at runtime (e.g., "npx -y @modelcontextprotocol/server-github" and similar commands like "@modelcontextprotocol/server-postgres", "@redis/mcp-redis", "@playwright/mcp@latest"), which downloads and executes remote code as a required dependency for local MCP servers.