mcp-servers

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches remote OpenAPI specs at runtime (see "Register MCP Server (OpenAPI)" with spec.type: remote and url) and also fetches hosted A2A agent cards via agent_card_url (references/manifest-schema.md), both of which are converted into MCP tools or agent behavior and therefore can allow untrusted third-party content to influence tool capabilities and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote OpenAPI specs at runtime that are auto-converted into MCP tools (e.g. https://petstore.swagger.io/v2/swagger.json) and also supports runtime-fetching of hosted A2A agent cards (e.g. https://research-agent.example.com/.well-known/agent.json), both of which can directly control agent behavior and thus represent a runtime external dependency risk.