mcp-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). This is a raw GitHub URL to an install.sh script intended to be fetched and executed (curl ... | bash); executing remote .sh files directly is high-risk even from GitHub because repos/accounts can be compromised or contain malicious/privilege-escalating commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs running mcp-cli against arbitrary MCP servers (e.g., HTTP server entries like "url: https://mcp.example.com/mcp" in references and the testing flow) and shows workflows where command output is printed and piped into further calls (references/output-debugging-and-chaining.md), meaning untrusted remote responses are fetched and can directly influence subsequent commands and actions (it also suggests fetching an install script via curl from raw.githubusercontent.com).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an explicit runtime install command that pipes remote code to a shell (curl -fsSL https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh | bash), which fetches and executes remote code needed for normal external workflows.