mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The implementation workflow in SKILL.md suggests using 'npx @modelcontextprotocol/inspector', which downloads and executes a package from the npm registry. This is a high-risk pattern (MEDIUM after considering its primary purpose in the development workflow).
- EXTERNAL_DOWNLOADS (LOW): SKILL.md instructs the agent to fetch documentation from 'modelcontextprotocol.io' and 'github.com/modelcontextprotocol'. While these are official resources for the protocol, they are not on the predefined trusted list.
- COMMAND_EXECUTION (LOW): The 'scripts/connections.py' file facilitates spawning subprocesses via the stdio transport layer for MCP servers. This is a core feature of the protocol but remains a sensitive capability.
- PROMPT_INJECTION (LOW): The skill workflow involves researching external APIs and using those findings to generate tools (Category 8), creating an indirect prompt injection surface. Evidence Chain: 1. Ingestion: SKILL.md instructions to fetch external API docs. 2. Boundary markers: Absent. 3. Capability inventory: connections.py (subprocess/network). 4. Sanitization: Not explicitly mentioned in implementation guides.
Audit Metadata