mcp-server-tester

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for an LLM API key (and optionally save it to .env), which requires the model to receive sensitive secret values in its context and creates a direct exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly proxies JSON‑RPC to an arbitrary MCP server URL (via the inspector /inspector/api/proxy and chat endpoints) and instructs the agent to list and read third‑party tools, resources, and prompts (see references/basic-test-guide.md, references/inspector-api.md, and references/llm-test-guide.md), so untrusted server-provided content is read and used to decide tool calls and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill launches remote code via npx @mcp-use/inspector at runtime and relies on external LLM endpoints (e.g., https://openrouter.ai/api/v1 as shown) to generate model outputs that directly drive agent prompts, tool calls, and behavior, so these external endpoints/packages are runtime dependencies that control the agent.