read-github

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md workflow and scripts/gitmcp.py explicitly fetch and search public GitHub repositories (via gitmcp.io) and can fetch arbitrary referenced URLs using the fetch_generic_url_content tool, meaning the agent ingests untrusted, user-generated third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill launches a subprocess calling "npx -y mcp-remote <mcp_url>" (where mcp_url is e.g. https://gitmcp.io/owner/repo) at runtime, which downloads/executes remote npm code and returns tool outputs (like fetch_{repo}_documentation and fetch_generic_url_content) that are injected into the agent's flow, so external content can both execute code and directly control prompts.