configuring-better-auth

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs adding and using an external MCP server (https://mcp.chonkie.ai/...) for guided setup and includes runtime code that fetches/uses remote JWKS endpoints (e.g., ${SSO_URL}/.well-known/jwks.json or /api/auth/jwks), meaning it will fetch and interpret content from arbitrary public third-party URLs as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The URL https://mcp.chonkie.ai/better-auth/better-auth-builder/mcp is explicitly added as an MCP server at runtime (via claude mcp add / settings.json) and would supply remote guided configuration/instructions that directly control the agent's prompts, making it a required runtime dependency.