native-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs embedding API keys/tokens in config/env and HTTP headers (e.g., "ghp_...", "Bearer sk-..."), meaning an LLM would be expected to include secret values verbatim when generating configs, code, or commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to connect to arbitrary MCP servers via command (npx/stdio) or URL (HTTP) under mcp_servers and documents the sampling/createMessage capability whereby MCP servers can request LLM completions and invoke tools, meaning untrusted third-party server responses can be ingested and directly influence the agent's decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the skill connects at runtime to configured MCP HTTP endpoints (e.g., "https://mcp.mycompany.com/v1/mcp") which can issue sampling/createMessage LLM requests that directly control prompts, and it also spawns subprocesses via npx (e.g., "npx -y @modelcontextprotocol/server-filesystem") which fetch and execute remote code; both are runtime dependencies that can control prompts or execute code.