mcp-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires runtime fetching of public third-party metadata and content — e.g., the OAuth discovery flow in references/security-auth.md ("Client -> Auth Server: GET Authorization Server Metadata (RFC 8414 or OIDC Discovery)") and the MCP Registry/aggregator polling in references/extensions-registry.md — which causes the agent to read untrusted external documents (authorization metadata, registry entries) that can materially change authorization, endpoint selection, or discovery behavior and thus enable indirect prompt injection or SSRF-like attacks.