mcp-integration
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill provides templates that use 'npx -y' to execute code from external sources. Examples include 'github-mcp@latest' and 'claude-code-templates', which are not on the trusted sources list. The '-y' flag bypasses confirmation, allowing silent execution of remote code.
- EXTERNAL_DOWNLOADS (HIGH): Recommends fetching npm packages without version pinning (using '@latest'). This is a dangerous practice that leaves the user vulnerable to supply chain attacks if the package or its account is compromised.
- CREDENTIALS_UNSAFE (SAFE): While the skill contains fields for API keys and tokens, it correctly uses placeholders and emphasizes the best practice of using environment variables for secrets.
Recommendations
- AI detected serious security threats
Audit Metadata