github-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly exposes GitHub public content (e.g., tools like get_file_contents, search_code, list_issues, discussions, and gists) so the agent will fetch and read user-generated, untrusted repository files, issues/discussions and gists that can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires Docker and explicitly names the remote image ghcr.io/github/github-mcp-server which would be pulled and run at runtime (executing remote code) to provide the MCP server that loads prompt/tooling contexts used to control agent behavior, so this external image is a runtime dependency that directly controls prompts/executes code.