mcp-configure

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The hosted MCP flow uses OAuth so no secrets are needed, but the local npx flow explicitly supports an "agent-assisted" path where the agent is instructed to accept and write the LAUNCHDARKLY_ACCESS_TOKEN into config (with user consent), which would require the LLM to handle/output the secret verbatim and is an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill includes runtime instructions to run a local MCP server via npx which fetches and executes remote package code (e.g., the config snippet "command: 'npx', args: ['-y', '@launchdarkly/mcp-server']"), so it depends on fetching and running remote code at runtime.