day2-mcp-and-context-sync
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill defines a "STOP PROTOCOL" that strictly controls agent behavior during the tutorial, including specific instructions to refrain from calling certain tools (like
AskUserQuestion) until specific conditions are met to ensure a structured lesson flow. - [PROMPT_INJECTION]: Category 8: Indirect Prompt Injection risk. The skill facilitates the creation of a "Context Sync" tool (
templates/context-sync.md) that aggregates data from external, potentially untrusted sources. - Ingestion points: Data is pulled from Slack messages, Notion databases, Linear issues, and Gmail/Google Calendar via various MCP tools (e.g.,
slack_read_channel,notion__search). - Boundary markers: The provided template and instructions do not specify the use of delimiters or "ignore" instructions for the ingested content when presenting it to the agent.
- Capability inventory: The skill utilizes
subagentsand MCP tools with the ability to read/write files and execute external service commands. - Sanitization: No explicit sanitization, filtering, or escaping of the retrieved data is implemented in the provided scripts or templates.
- [REMOTE_CODE_EXECUTION]: The tutorial instructs the agent to run
npx skills add ai-native-camp/camp-2 --agent claude-code --yesto install the curriculum. This command downloads and executes code from the vendor's repository to set up the learning environment. - [EXTERNAL_DOWNLOADS]: The
scripts/mcp_servers.pyscript makes outbound HTTP requests toraw.githubusercontent.comto retrieve a list of MCP servers. This functionality is intended to help users discover and configure tools from the official MCP server registry.
Audit Metadata