claude-code-agent-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's MCP integration and example config explicitly show adding a "github" MCP server in ~/.config/claude-code/mcp.json and using mcpClient.callTool/listTools to read repository files, meaning the agent will fetch and interpret untrusted, user-generated content from public GitHub as part of its workflow (which can drive tool execution and decisions).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and execute remote npm packages via npx (e.g., "npx -y @modelcontextprotocol/server-filesystem" and "npx -y @modelcontextprotocol/server-github"), which will download and run external code at runtime and thus constitute an external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill documents and exemplifies tools that write files, execute shell commands, start external processes (e.g., via npx/MCP servers), and modify user config, which can change the host system state even though it does not explicitly instruct privilege escalation or account creation.