mcp-setup
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The documentation in
SKILL.mdrepeatedly instructs users to usenpx -yfor various MCP servers (e.g.,@modelcontextprotocol/server-filesystem). This command downloads and executes code from the npm registry without manual verification or version pinning, which can be exploited via package hijacking or typosquatting. - Indirect Prompt Injection (HIGH): This skill enables the ingestion of untrusted data from sources including Brave Search, Slack, and GitHub. 1. Ingestion points: Brave Search, Slack, and Filesystem servers defined in
SKILL.md. 2. Boundary markers: No specific delimiters or instructions to ignore embedded content are included in the provided templates. 3. Capability inventory: Configured servers have high-privilege capabilities including filesystem access (read/write), database query execution (Postgres/SQLite), and network communication via APIs. 4. Sanitization: While best practices mention validation, the provided implementation templates lack any actual sanitization logic. - External Downloads (MEDIUM): The
scripts/mcp-initializer.shscript performs unversioned installations of@modelcontextprotocol/sdkand themcpPython package. Since these sources are not on the explicit trusted list, this represents a supply chain risk. - Credential Exposure (LOW): Examples in
SKILL.mddocument storing sensitive tokens in plaintext configuration files in known system locations like %APPDATA% or ~/Library.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata