mcp-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed API keys and tokens directly on the command line (e.g., --env GITHUB_TOKEN=ghp_xxx, REDASH_API_KEY=abc123) and instructs the agent to construct mcp-call commands with --key=value args, which requires outputting secret values verbatim and thus poses high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls arbitrary MCP servers (including HTTP URLs added via --add-http or seeded from ~/.claude.json/servers.json) and fetches tool lists and tool-call responses (see http_call_tool and fetch_tools in scripts/ and src/ and the README/SKILL.md multi-tool workflow), which the agent reads and uses to drive subsequent actions, so untrusted third-party content can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues JSON-RPC calls at runtime to configured HTTP MCP server URLs (e.g. the example http://localhost:8010/mcp added via --add-http) which will cause the remote server to execute tools/commands and return text that can directly control agent behavior.