webmcp-sdk-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's architecture and workflow explicitly describe loading and interpreting arbitrary public webpages and third-party MCP services—e.g., rules/ai-extension-architecture.md "智能操作流程" and snapshotManager (uses Puppeteer accessibility.snapshot to ingest page DOM), the mcp-servers per-hostname matching (mcp-servers/*) and remote MCP/agent URLs (agent.opentiny.design, customMarketMcpServers) which the AI reads and acts on—so untrusted, user-generated web content is fetched and used to drive tool calls and navigation.