mcp-server-code-execution-mode

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly proxies external MCP servers (see "Proxying Other MCP Servers" with a "github" server) and the SKILL.md workflow shows the agent discovering servers (runtime.discovered_servers()), querying/searching tool docs (runtime.query_tool_docs(), runtime.search_tool_docs()), and calling tools (e.g., mcp_github.list_issues, weather tool) whose untrusted/user-generated outputs (GitHub issues, calendar events, weather forecasts) are read and used to decide or drive subsequent actions (creating issues, calendar events), so third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly pulls and runs a remote container image at runtime (ghcr.io/elusznik/mcp-code-execution:latest via podman pull/run), and its example config also invokes npx -y @modelcontextprotocol/server-filesystem which fetches and executes remote code — both are runtime external dependencies that execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs installing and configuring container runtimes (including "sudo apt install podman", migration/setup steps, and podman/docker run/build commands that modify system/runtime settings and may require elevated privileges or alter mounts), which pushes privileged system changes that can compromise the machine state.