CtrlK
BlogDocsLog inGet started
Tessl Logo

mlava/agent-ready-mcp

Install and use the Agent Ready MCP server to scan any URL for AI agent-readability via MCP tool calls. Activates for "install agent-ready mcp", "set up agent-ready in Claude Desktop / Cursor / Cline / Goose / Continue", "add agent-ready as an MCP tool", "scan this site via agent-ready", "run scan_site / get_scan / ask via MCP". Pick this skill when the user wants tool-native access to Agent Ready — no curl, no fetch wiring. For direct REST access without MCP, use the `agent-ready-api` skill instead.

72

Quality

90%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

Security

2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.

Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 0.85). The required runtime workflow uses the MCP tools `scan_site`/`get_scan`, whose tool results include “scraped text from the target site (titles, headings, `llms.txt` / `AGENTS.md` bodies, check messages)”; that is outsider-authored free text from an arbitrary user-supplied URL that the agent will ingest into LLM context for summarization.

Report incorrect finding
Medium

W012: Unverifiable external dependency detected (runtime URL that controls agent)

What this means

The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.

Why it was flagged

Potentially malicious external URL detected (high risk: 0.90). The skill instructs clients to run "npx -y agent-ready-mcp@latest" (which fetches and executes remote code from the npm package at https://www.npmjs.com/package/agent-ready-mcp) and/or to point the MCP transport at the hosted endpoint https://agent-ready.dev/api/v1/mcp (and its server card https://agent-ready.dev/.well-known/mcp/server-card.json), both of which are runtime external dependencies that either execute fetched code or supply tool/prompt definitions that control the agent.

Audited
Security analysis
Snyk