connect-mcp-server

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows adding HTTP/stdio MCP servers that point to arbitrary public services and URLs (e.g., GitHub issues @github:issue://..., Notion pages @notion:page://..., Slack history, Google Drive, Brave Search and other community/public MCP servers) whose resources and prompts the agent will read and execute, exposing it to untrusted user-generated third-party content and indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs Claude Code to connect to HTTP MCP servers (e.g., https://mcp.github.com), which are contacted at runtime to provide tools, resources and prompts that can directly control the agent's instructions and trigger remote actions, so this is a runtime external dependency that can control prompts/execute code.