react-mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The skill is for user-managed MCP servers: at runtime it connects to end-user-specified MCP server URLs and merges their tool metadata/responses into the chat runtime, so any free-form text returned by an outsider MCP server (e.g., tool outputs, errors, prompts) can be ingested into the agent’s LLM context via the merged tools.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill declares connector URLs (e.g., https://mcp.linear.app and https://mcp.example.com/weather) that are contacted at runtime by the MCP manager and whose tools are merged into the chat runtime (aui.mcp().server(...).callTool(...)), meaning remote endpoints will be invoked and can execute remote code/control agent behavior.