The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill provides a functional template for a fetch_url tool in SKILL.md that ingests untrusted external content and returns it directly to the agent's context. This is a critical vulnerability surface for Indirect Prompt Injection where attacker-controlled web content can override agent instructions. Mandatory evidence: (1) Ingestion point: fetch(url) in SKILL.md. (2) Boundary markers: Absent. (3) Capability: Network read + text return. (4) Sanitization: Absent in code examples.\n- [Remote Code Execution] (HIGH): Documentation in references/testing-patterns.md and references/transport-patterns.md recommends using npx to execute remote packages (@modelcontextprotocol/inspector, @myorg/db-tools). Running unverified packages via npx is a high-risk pattern for supply chain attacks, especially when using placeholders like @myorg.\n- [Data Exposure & Exfiltration] (MEDIUM): The references/resource-patterns.md file demonstrates exposing local files as resources (e.g., settings.json via Path.read_text()). While demonstrated for config files, this pattern facilitates the exposure of sensitive local data if implemented without strict path validation or least-privilege constraints.\n- [Prompt Injection] (INFO): The automated scanner alert regarding request.params.name is a false positive. This string is a standard property access in the MCP TypeScript SDK and does not constitute a malicious URL or injection attempt.

mcp-server-building