mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script scripts/connections.py implements a wrapper for the MCP stdio_client, which facilitates the execution of local processes via command and args parameters. If these parameters are derived from untrusted input, it allows for arbitrary shell command execution.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill lacks security boundaries when ingesting external data. 1. Ingestion points: SKILL.md instructs the agent to fetch documentation from modelcontextprotocol.io and GitHub (modelcontextprotocol organization), and to explore external content in Phase 4.2. 2. Boundary markers: Absent. No instructions exist to prevent the agent from obeying commands embedded in external docs. 3. Capability inventory: The skill includes the connections.py script for process execution and suggests running npm and python commands in Phase 3.2. 4. Sanitization: None. The workflow encourages the agent to use external data to generate code and tool schemas directly.
- [EXTERNAL_DOWNLOADS] (MEDIUM): SKILL.md directs the agent to fetch and process content from untrusted external URLs including modelcontextprotocol.io and the modelcontextprotocol GitHub organization. These sources are not on the Trusted External Sources list and could be used to deliver malicious instructions via indirect injection.
Recommendations
- AI detected serious security threats
Audit Metadata