Skills
skills/mapbox/mapbox-agent-skills/mapbox-mcp-runtime-patterns/Snyk

mapbox-mcp-runtime-patterns

Warn

Audited by Snyk on Apr 1, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The examples start the MCP server at runtime using commands like subprocess.Popen(['npx', '@mapbox/mcp-server']) and spawn('npx', ['@mapbox/mcp-server']), which fetch and execute remote package code as a required self-hosted dependency (see https://github.com/mapbox/mcp-server), so this is a runtime external dependency that executes remote code.

Issues (1)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 08:11 AM
Issues
1