mcp-server-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill includes examples and commands that directly embed API keys, bearer tokens, and plaintext passwords (e.g., --header "Authorization: Bearer YOUR_TOKEN", --env DB_PASSWORD=secret123, add-json with "API_KEY"), which encourages the agent to accept and place secret values verbatim into generated commands or configs, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md and references/mcp_documentation.md explicitly instruct adding and using remote MCP servers via arbitrary HTTP/SSE/stdio URLs (e.g., "claude mcp add --transport http " and examples like https://mcp.notion.com/mcp), and the agent is expected to query and act on the servers' responses (examples show asking the agent to read data, run prompts, and perform actions), so untrusted third‑party content can be ingested and materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs Claude Code to contact external MCP endpoints at runtime (for example: https://mcp.notion.com/mcp), and MCP servers can expose prompts/slash-commands that directly control the agent (and stdio examples like "npx -y airtable-mcp-server" demonstrate fetching/executing remote code), so these external URLs/packages can control prompts or execute code during runtime.