dv-connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly writes CLIENT_ID and CLIENT_SECRET into a generated .env file and implies collecting/embedding service-principal secrets, which requires the agent to accept and place secret values verbatim into files/outputs (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses live third-party data as part of its required workflow (SKILL.md Step 2 uses PAC CLI and a curl to the user-supplied https://.crm.dynamics.com endpoint, and references making Azure/Power Apps API calls in references/mcp-configuration.md Step 3b), and those responses (and even npx-installed MCP proxy behavior) directly determine subsequent commands and configuration, so untrusted/user-provided web/API content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs running npx -y @microsoft/dataverse@latest (e.g., commands like npx -y @microsoft/dataverse@latest mcp "{USER_URL}") which at runtime fetches and executes remote code from the npm registry and is required for the Claude MCP registration flow, so it is a runtime external dependency that executes remote code.