mcp-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the user for API keys/tokens and constructs CLI/HTTP commands that embed those secrets verbatim (e.g., -e EXA_API_KEY=, -e GITHUB_PERSONAL_ACCESS_TOKEN=, --header "Authorization: Bearer "), requiring the LLM to output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly configures external MCP servers that provide web and public-content access — notably "Exa Web Search" (web search results), "GitHub" integration (repo/issue/PR content), and the "Custom MCP Server" HTTP transport (arbitrary URLs) in SKILL.md — which the agent will read and act on, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs remote packages/images at runtime (e.g., via "npx -y @upstash/context7-mcp", "npx -y exa-mcp-server", "npx -y @modelcontextprotocol/server-filesystem" and "docker run ... ghcr.io/github/github-mcp-server") and also allows adding an HTTP MCP endpoint ("https://api.githubcopilot.com/mcp/"), all of which fetch and execute remote code or provide remote MCP content that will directly control agent context/prompts.