review-mcp-use-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and server-config-patterns) instructs the agent to connect to external MCP servers specified by mcpServers (e.g., "url"/"ws_url") and then automatically discover and ingest tools, prompts, and resources via session.list_tools(), session.get_prompt(), and session.read_resource(); because those servers can be arbitrary remote endpoints, their prompts/resources/tools (server-provided content) are read and used by the agent and therefore could inject instructions that materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Supabase Edge Functions example includes a direct Deno runtime import from https://esm.sh/mcp-use@latest/server, which would fetch and execute remote module code at runtime and thus is a required external dependency that can control executed behavior.