mcp-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt repeatedly instructs the agent to prompt for API tokens/passwords and embed them verbatim into generated config files, example JSON, and commands (including explicit token examples), which directly exposes secrets in the agent's output and context.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and templates (Phase 2 "Official MCP Servers" and the Phase 3 server templates, e.g., the "brave-search", "fetch", "puppeteer", and "github" server configurations) explicitly configure MCP servers that fetch and read public web pages and GitHub repository contents, meaning the agent will ingest untrusted third-party content that can influence subsequent tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup scripts invoke npx to fetch and execute MCP server packages at runtime (e.g., npx -y @modelcontextprotocol/server-github, which pulls code from the npm registry such as https://registry.npmjs.org/@modelcontextprotocol/server-github), so remote code is fetched and executed and can directly control agent behavior.