mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs the agent to fetch remote files (READMEs and sitemaps) from 'modelcontextprotocol.io' and 'raw.githubusercontent.com' in Phase 1. These sources are not within the predefined [TRUST-SCOPE-RULE] list, making the downloads unverifiable.
- [COMMAND_EXECUTION] (HIGH): The 'scripts/connections.py' file implements a 'stdio' transport client that uses the 'mcp' library to execute local commands. Additionally, 'SKILL.md' Phase 3.2 instructs the agent to run 'npm', 'npx', and 'python' commands for building and testing, providing a surface for arbitrary code execution.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its ingestion of external content and its side-effect capabilities.
- Ingestion points: External sitemaps and SDK documentation are fetched in Phases 1.2 and 1.3.
- Boundary markers: There are no boundary markers or instructions to ignore embedded commands in the fetched data.
- Capability inventory: The skill can execute subprocesses via 'connections.py' and perform file-system build operations.
- Sanitization: No validation or sanitization of the fetched external markdown or XML content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata