mcp-server-setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill directs creating and editing a central servers.json that "contains credentials" and shows examples with raw env values and inline ENV_VAR=value test commands, which requires an agent to insert or echo secret values verbatim into files/commands (high exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content includes explicit instructions that enable propagating credential-bearing configs to multiple agents via post_create.sh, running arbitrary unpinned npm packages with npx -y (remote code execution / supply-chain risk), persistent global installs for survivability, and an explicit "progressive improvement" clause that asks to block developer fixes—together these patterns indicate intentional backdoor/abuse capability.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required "Test the server manually in the container" step instructs running npx -y and parsing its JSON-RPC response (SKILL.md, "Adding a New MCP Server" step 1), which fetches and runs arbitrary npm packages and ingests their untrusted outputs that could influence agent behavior.