agents-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed secrets verbatim in shell/CLI commands (export DATABASE_URL="postgresql://user:pass@...", --env GITHUB_TOKEN=ghp_xxx) which encourage passing API keys/passwords directly in output or commands, even though it also advises using env vars/secret managers.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly configures and uses external MCP servers that pull data from third-party services (e.g., "Add GitHub integration" with @modelcontextprotocol/server-github, "claude mcp add --transport http notion https://mcp.notion.com/mcp", and PostHog MCP endpoints) so the agent will ingest and act on untrusted, user-generated content from public web services.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill shows runtime execution of remote packages via npx (e.g., "npx -y @modelcontextprotocol/server-postgres" and "npx -y mcp-remote@latest https://mcp-eu.posthog.com/sse") and connects to external MCP endpoints (e.g., https://mcp.notion.com/mcp and https://mcp-eu.posthog.com/mcp) which fetch/execute remote code or provide tool behavior that can directly control agent instructions.