mcp-server-installation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt instructs placing usernames, passwords, and client secrets directly into config JSON and MCP env settings (and would lead an agent to accept or emit those secret values verbatim into generated configs/commands), which creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly directs runtime fetching and execution of remote code (e.g., "npx -y happy-platform-mcp" and "git clone https://github.com/Happy-Technologies-LLC/happy-platform-mcp.git"), so the GitHub URL is a required external dependency that will execute remote code at runtime.