mcp-openapi-proxy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts an OpenAPI spec via MCP_SPEC (a "Path or URL to OpenAPI 3.x spec" in the Configuration and shown in the MCP client examples), which the proxy ingests to generate tools, endpoints, and security scopes that the agent reads and acts on—exposing it to untrusted third-party content that can materially influence tool selection and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagging external OpenAPI spec URLs used via MCP_SPEC (e.g., https://api.example.com/openapi.yaml) because the proxy fetches the spec at startup/runtime, the fetched spec directly determines the agent's tool descriptions and input prompts, and the proxy requires the spec to run.