mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes Python scripts (
scripts/evaluation.pyandscripts/connections.py) that are designed to launch local MCP servers and communicate with them via thestdiotransport. This involves executing local commands and managing subprocesses for testing purposes. - [EXTERNAL_DOWNLOADS]: The main instructions in
SKILL.mdpoint to official Model Context Protocol resources onmodelcontextprotocol.ioand its official GitHub repositories for SDK information. These references are used for developer documentation and are from well-known sources. - [PROMPT_INJECTION]: The evaluation harness in
scripts/evaluation.pypossesses an indirect prompt injection surface as it requires an agent to process questions from XML files and outputs from external tools. - Ingestion points: The script ingests test questions from XML files and receives output from tool calls made to the connected MCP server.
- Boundary markers: While the system prompt uses XML tags for structure, it does not include explicit delimiters or instructions for the agent to ignore potentially malicious commands embedded in the external questions or tool results.
- Capability inventory: The evaluation agent has the capability to execute any tool exposed by the MCP server, which defines the scope of potential actions if an injection occurs.
- Sanitization: The skill does not implement sanitization or validation of the content ingested from evaluation files or tool outputs before presenting them to the LLM.
Audit Metadata