native-mcp
Fail
Audited by Snyk on May 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes explicit API token examples (ghp_, sk-..., Bearer tokens) and instructs placing secrets directly into config/env/headers, which would require the agent to include secret values verbatim in generated configs/commands.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly connects to external MCP servers configured under mcp_servers via stdio (npx subprocesses) or HTTP URLs (see "Stdio Transport" and "HTTP / StreamableHTTP Transport" sections) and registers and consumes their tool outputs (startup discovery, tool calls) — including server-initiated sampling requests ("Sampling (Server-Initiated LLM Requests)") — which means untrusted, third-party code/content and user-provided responses can be read and can materially influence agent decisions and tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill connects at runtime to external MCP servers (e.g., the HTTP transport URL "https://mcp.example.com/mcp") and also launches subprocesses via npx (e.g., @modelcontextprotocol/server-*) which fetch and execute remote code and can use MCP's sampling/createMessage capability to drive LLM prompts, so remote content can directly control prompts or execute code.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata