modular-rag-mcp-server

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs placing API keys directly into .env and into config JSON (e.g., OPENAI_API_KEY: "sk-...") and the Setup Skill will collect/configure those keys, which requires the agent to accept and write secret values verbatim into outputs/files.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill’s Quick Setup explicitly clones and runs code from the external Git repository https://github.com/jerry-ai-dev/MODULAR-RAG-MCP-SERVER.git, which is a runtime-fetched dependency whose contents are then executed (setup, Python server, dashboard), so it can directly control executed code and thus poses risk.