edgeone
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the mcporter package from the NPM registry at runtime. This package is not from a recognized or trusted organization.
- [COMMAND_EXECUTION]: The skill executes shell commands using npx -y, which bypasses user confirmation for package installation, and uses command substitution ($(cat ...)) to read local file contents.
- [DATA_EXFILTRATION]: The skill reads local file data and transmits it to an external server (mcp-on-edge.edgeone.app). While intended for deployment, this establishes a mechanism for sending local data to a third-party service.
Audit Metadata