mcp-integration-patterns
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The file
references/server-examples.mdcontains a hardcoded password placeholder (password='password') in a database connection example code block. - [REMOTE_CODE_EXECUTION]: Guidance in
references/deployment-patterns.mdrecommends usingnpx -yto download and execute MCP servers from the npm registry, which allows for the execution of remote, potentially untrusted code. - [EXTERNAL_DOWNLOADS]: The documentation references the use of package managers including
pip,npm, anduvto install dependencies from public registries during deployment. - [PROMPT_INJECTION]: The
code_reviewprompt template inSKILL.mddemonstrates an indirect prompt injection surface where untrusted code and language inputs are interpolated into a prompt without sanitization or boundary markers. - [DATA_EXFILTRATION]: Example implementations in
references/server-examples.mdandSKILL.mdshow patterns for transmitting data to external third-party API endpoints and databases.
Audit Metadata