mcp-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports remote HTTP+SSE MCP servers (see the "Remote Server (HTTP+SSE with OAuth)" and remote server configuration examples using "url" and OAuth discovery from /.well-known/oauth-authorization-server) and documents dynamic "list_changed" notifications that cause Claude Code to refresh and enable new tools, meaning arbitrary third-party server-provided content can be ingested and directly change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill config includes runtime HTTP+SSE endpoints (e.g., "https://mcp.example.com/sse" and "https://api.example.com/mcp/sse") that the agent connects to and which can push tool lists/notifications that change agent behavior, and it also runs package-fetching commands at runtime (e.g., bunx -y @upstash/context7-mcp, npx -y @modelcontextprotocol/server-sequential-thinking) which fetch and execute remote code—therefore these external endpoints/packages are runtime dependencies that can directly control prompts or execute code.