mcp-server-tester

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for an LLM API key and optionally save credentials to a .env file (and uses curl-proxied requests), which requires capturing and embedding secret values verbatim and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly proxies to arbitrary MCP servers and instructs the agent to call tools/list, resources/read, prompts/get and to feed those discovered tool schemas, prompt text, and resource contents into an LLM via the inspector chat endpoints (see SKILL.md, references/inspector-api.md and references/llm-test-guide.md), which clearly exposes the agent to untrusted third‑party/user-generated content that can influence tool selection and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs the inspector at runtime via "npx @mcp-use/inspector", which downloads and executes remote package code (the mcp-use inspector project: https://github.com/mcp-use/inspector) and is a required dependency for the commands, so it constitutes executing remote code at runtime.