Skills
skills/aahl/skills/mcp-vods/Gen Agent Trust Hub

mcp-vods

Warn

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx -y and uvx to fetch and execute packages (mcporter and mcp-vods) from npm and PyPI registries during runtime.
  • [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands to interact with the mcporter tool and local TV devices.
  • [REMOTE_CODE_EXECUTION]: By executing unpinned packages directly from public registries via npx and uvx, the skill performs remote code execution where the specific code is determined by the registry state at the time of call.
  • [PROMPT_INJECTION]: The vods_search tool retrieves data from multiple third-party source sites, which creates a surface for indirect prompt injection. 1. Ingestion points: Results from vods_search in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess execution of npx and local network requests. 4. Sanitization: Not specified in the skill logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 25, 2026, 02:47 AM