mcp-use

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow (SKILL.md and references) instructs creating an MCPClient/MCPAgent with remote servers using a "url" or "ws_url" in the mcpServers config and then calling agent.run()/session.list_tools()/session.read_resource()/session.get_prompt(), which clearly causes the agent to fetch and ingest untrusted, third‑party server-provided tools, resources, and prompts that can materially influence subsequent tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill’s examples show MCPClient connecting at runtime to external MCP servers (e.g., "https://your-server.example.com/mcp") and then discovering prompts/tools from that server which are injected into the agent context and invoked (session.get_prompt / session.list_tools / session.call_tool), so that remote content can directly control agent prompts and cause remote code/tool execution.