mcp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly describes a multi-MCP workflow that calls mcp__brave__search to "search the web" and collect results which the agent reads and then uses to drive follow-up actions (e.g., saving to Notion), so it ingests untrusted public web content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs running npx to fetch and execute remote packages at runtime (e.g., npx -y @modelcontextprotocol/server-postgres and npx @modelcontextprotocol/inspector), which downloads and runs external code that provides MCP tools the agent depends on and can directly control agent actions.