Skills
AGENT LAB: SKILLS
skills/aahl/skills/mcp-vods/Gen Agent Trust Hub

mcp-vods

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): The skill instructions direct the agent to execute commands such as npx -y mcporter and uvx mcp-vods. These commands download and execute code from public registries (npm and PyPI) at runtime. Since these packages are not from the specified list of trusted organizations, they represent an unverified remote code execution risk.
  • COMMAND_EXECUTION (MEDIUM): The skill is entirely based on shell command execution to search for media and interact with TV hardware. While this is the intended functionality, it provides a direct interface for executing arbitrary logic defined in external scripts.
  • EXTERNAL_DOWNLOADS (MEDIUM): The use of npx -y and uvx ensures that the latest version of the external tools are downloaded and run each time, making the agent's environment dependent on the security of the third-party package maintainers.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 04:55 PM