native-mcp

Fail

Audited by Snyk on May 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes explicit API token examples (ghp_, sk-..., Bearer tokens) and instructs placing secrets directly into config/env/headers, which would require the agent to include secret values verbatim in generated configs/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly connects to external MCP servers configured under mcp_servers via stdio (npx subprocesses) or HTTP URLs (see "Stdio Transport" and "HTTP / StreamableHTTP Transport" sections) and registers and consumes their tool outputs (startup discovery, tool calls) — including server-initiated sampling requests ("Sampling (Server-Initiated LLM Requests)") — which means untrusted, third-party code/content and user-provided responses can be read and can materially influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill connects at runtime to external MCP servers (e.g., the HTTP transport URL "https://mcp.example.com/mcp") and also launches subprocesses via npx (e.g., @modelcontextprotocol/server-*) which fetch and execute remote code and can use MCP's sampling/createMessage capability to drive LLM prompts, so remote content can directly control prompts or execute code.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 01:45 PM
Issues
3
Security Audit — snyk — native-mcp