claude-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's docs explicitly show configuring and using remote MCP servers and web-capable tools (references/mcp-integration.md — e.g., Brave Search, Puppeteer, remote mcp URLs) and installing plugins from GitHub or arbitrary URLs (references/hooks-and-plugins.md), which causes the agent to fetch and interpret untrusted public web content that can influence tool selection and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill references runtime installs and remote MCP endpoints that fetch and execute remote code — e.g., "claude plugin install https://example.com/plugin.zip", "claude plugin install gh:username/repo", remote MCP server URLs like "https://api.example.com/mcp", and npx commands such as "npx -y @modelcontextprotocol/server-filesystem" which will download and run external code that can control prompts or execute actions.