eval-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). SKILL.md Phase 1b instructs fetching tool schemas from a user-specified MCP server (implemented by scripts/fetch-tools.sh which calls the Inspector CLI against the provided URL), and Phase 3a then injects those fetched tool schemas into the subagent prompt ("{tool schemas as JSON}") for tool-selection decisions — so arbitrary/untrusted third‑party schemas are ingested and can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's fetch-tools.sh calls an external MCP server URL at runtime (user-supplied MCP server endpoint, e.g. "http://localhost:3000/mcp") via the Inspector CLI (npx @modelcontextprotocol/inspector) to retrieve tool schemas which are then injected wholesale into the subagent prompt—meaning a remote URL can directly control the prompts and thus the agent's behavior.