mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The evaluation harness in
scripts/evaluation.pyand the connection logic inscripts/connections.pyenable the execution of local MCP servers through thestdiotransport, using user-supplied command-line arguments.\n- [EXTERNAL_DOWNLOADS]: The documentation directs developers to fetch official protocol specifications and SDK details from themodelcontextprotocolGitHub organization, which is a recognized and authoritative source.\n- [PROMPT_INJECTION]: The utility inscripts/evaluation.pyprocesses question-and-answer pairs from an external XML file for AI testing purposes. This creates a surface for indirect prompt injection if malicious data is provided in the evaluation set, although this risk is localized to the testing process.
Audit Metadata