github-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly exposes GitHub as a data source and lists tools like get_file_contents, search_code, list_issues, and discussions that fetch public, user-generated content from GitHub repositories, issues, discussions and gists which the agent is expected to read and act on, so third-party content could influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill declares a runtime dependency on the Docker image ghcr.io/github/github-mcp-server (and documents the repo https://github.com/github/github-mcp-server); pulling and running that image at runtime executes remote code that provides the MCP server/toolset which can directly control agent prompts/instructions, so it meets the criteria for a risky external runtime dependency.