meigen-ai-design-mcp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes example secret-looking tokens (e.g., meigen_sk_..., sk-...) and explicit examples of placing API tokens directly into config files and export/JSON snippets, which encourages or requires embedding secret values verbatim in generated configs/commands and thus risks exfiltration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs external packages at runtime (e.g., "npx meigen@1.3.1" and numerous "npx meigen gen" examples) which will fetch and execute remote code associated with the project (see https://github.com/jau123/MeiGen-AI-Design-MCP), so there is a clear runtime dependency that executes remote code.