mcp-server-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill includes and encourages embedding API keys, bearer tokens, and passwords directly in CLI flags, headers, env args, and JSON examples (e.g., --header "Authorization: Bearer YOUR_TOKEN", --env DB_PASSWORD=secret123), which would require the model to insert user secret values verbatim into generated commands or configs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md and references/mcp_documentation.md explicitly instruct adding and using remote MCP servers via arbitrary HTTP/SSE/stdio URLs (e.g., "claude mcp add --transport http " and examples like https://mcp.notion.com/mcp), and the agent is expected to query and act on the servers' responses (examples show asking the agent to read data, run prompts, and perform actions), so untrusted third‑party content can be ingested and materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs Claude Code to contact external MCP endpoints at runtime (for example: https://mcp.notion.com/mcp), and MCP servers can expose prompts/slash-commands that directly control the agent (and stdio examples like "npx -y airtable-mcp-server" demonstrate fetching/executing remote code), so these external URLs/packages can control prompts or execute code during runtime.