dotnet-mcp-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's MCP Apps flow (references/mcp-apps.md) requires serving an HTML UI bundle that the host will fetch and render (the example even imports code from a public CDN: "https://esm.sh/@modelcontextprotocol/ext-apps@1"), and that UI can call app.updateModelContext or call server tools—meaning arbitrary third-party web content loaded into the UI could inject instructions that materially influence the agent's context and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The sample MCP App HTML includes a runtime import of remote JavaScript "https://esm.sh/@modelcontextprotocol/ext-apps@1" which the host/browser would fetch and execute inside the app iframe, allowing that external code to run and call app.updateModelContext / app.callServerTool and thus directly affect prompts and execute code at runtime.