building-mcp-servers

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs fetching and reading public web documentation and raw GitHub files (e.g., "https://modelcontextprotocol.io/sitemap.xml" and raw.githubusercontent.com links) and its evaluation harness can connect to arbitrary MCP server URLs (-u/HTTP or SSE transports), meaning the agent will ingest untrusted third‑party web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The evaluation harness (scripts/evaluation.py) connects at runtime to an external MCP server URL (e.g., https://example.com/mcp) via create_connection and calls connection.list_tools() to fetch tool definitions which are then passed into the model as "tools" (directly influencing the agent's prompts/behavior and enabling remote tool execution), so the external URL is a required runtime dependency that controls agent instructions.