claude-code-best-practice

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's .mcp.json and "Usage in Agents" sections explicitly configure and instruct using third-party MCP servers (e.g., server-github and server-brave-search) so the agent will fetch and analyze public, user-generated web and GitHub content as part of its workflows, allowing that untrusted content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The .mcp.json config launches external MCP server packages via npx (e.g., "npx -y @modelcontextprotocol/server-github" and similar entries for @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-brave-search, @modelcontextprotocol/server-postgres), which fetches and executes remote code at skill runtime and the skill relies on those packages for its functionality.