mcp-configure

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly supports an "agent-assisted" flow where the agent may accept a LAUNCHDARKLY_ACCESS_TOKEN from the user and write it into config (and warns the token will be visible in the config and conversation history), which requires the LLM to handle and output the secret verbatim, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a local-server fallback that runs remote code at runtime via npx (e.g., "npx -y @launchdarkly/mcp-server"), which fetches and executes a package as part of operation (see local server docs https://launchdarkly.com/docs/home/getting-started/mcp-local), so this is a runtime external dependency that executes remote code.