mcp-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and required docs (references/gemini-cli-integration.md and SKILL.md) explicitly instruct using MCP servers like web-search, puppeteer/playwright and fetch (and assets/tools.json lists tools that accept URLs and fetch/read webpages/documents) so the agent will fetch and interpret open/public third-party content (web pages, search results, user-provided URLs) and use that content to select and execute tools, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime configuration launches MCP servers via npx (e.g., @modelcontextprotocol/server-puppeteer / @modelcontextprotocol/server-memory) which fetches and executes remote packages as required dependencies (see the referenced Official MCP Servers repo https://github.com/modelcontextprotocol/servers), so external code is fetched and run during skill execution.