mcp-server-management
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Sensitive credentials including GitHub tokens and API keys are passed as plain-text command-line arguments to the
setup-mcp-server.shandsetup-mcp-proxy.shscripts, making them visible in the process list and shell history. - [DATA_EXFILTRATION]: The scripts access sensitive files on the local system, including session cookies via
HIGRESS_COOKIE_FILEand worker gateway keys stored in/data/worker-creds/, to facilitate gateway configuration. - [COMMAND_EXECUTION]: The
setup-mcp-server.shscript usessedto inject credentials into YAML templates without sufficient validation, which could be exploited for configuration manipulation if input values are not strictly controlled. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of user-provided configuration files. Ingestion points: The
--yaml-fileargument insetup-mcp-server.sh. Boundary markers: No delimiters or ignore instructions are applied to the user-provided YAML content. Capability inventory: The skill can update gateway settings, write to local agent configuration files, and upload data to MinIO storage. Sanitization: Employs simple string substitution for credentials without robust validation of the surrounding YAML structure or content.
Audit Metadata