building-agent-mcp-server

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly maps and exposes a "gmail" connector in Step 2 and Step 4 shows the agent invoking the MCP tools to "get 1 latest email," meaning the agent will fetch and read user-generated Gmail content (an untrusted third‑party source) as part of its workflow, which can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill connects at runtime to the Scalekit MCP instance URL (mcp_url = inst_response.instance.url) and calls client.get_tools() then loads those returned tools into the agent (create_react_agent(..., tools)), so the external MCP instance URL (mcp_url) directly controls the agent's available tools/behavior and is a required runtime dependency.