mcp-oauth

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill captures OAuth access and refresh tokens and then instructs using them verbatim in curl commands (e.g., -H "Authorization: Bearer ${ACCESS_TOKEN}" and refresh exchanges), which requires the agent to handle and insert secret token values into generated requests and so risks exfiltration if those values appear in LLM output or logs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill directly fetches and ingests metadata and tool listings from arbitrary MCP servers (see SKILL.md steps "Discover Protected Resource Metadata" fetching ${MCP_SERVER_URL}/.well-known/... and "List Tools" which POSTs to ${MCP_SERVER_URL}/ to present tool names/descriptions), so untrusted third‑party content can influence which tools are shown and which actions the agent takes.