mcp
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill allows for the execution of arbitrary system commands through the
/mcp addCLI command and theregistry.addServerAPI. This can be exploited to run unauthorized or malicious binaries on the host system. - REMOTE_CODE_EXECUTION (HIGH): The skill documentation and implementation rely on
npx -yto install and run MCP servers (e.g.,@modelcontextprotocol/server-filesystem). This allows unverified third-party code to be downloaded and executed at runtime. - CREDENTIALS_UNSAFE (MEDIUM): The skill manages sensitive environment variables such as
GITHUB_TOKEN. Documentation suggests hardcoding or passing these via configuration, which increases the risk of credential exposure if the local configuration is accessed. - EXTERNAL_DOWNLOADS (MEDIUM): The skill fetches multiple dependencies from the
@modelcontextprotocolscope. While these are part of the MCP ecosystem, they are external packages that are not pinned to specific versions in the provided examples, posing a supply-chain risk. - PROMPT_INJECTION (LOW): The skill is a major vector for indirect prompt injection as it ingests data from external tools, resources, and searches. 1. Ingestion points: Data returned from
registry.callToolandregistry.readResource. 2. Boundary markers: None; tool results are directly concatenated into the response string inindex.ts. 3. Capability inventory: Command execution, filesystem access, and network operations through configured MCP servers. 4. Sanitization: No sanitization or escaping of tool-provided content is performed before presentation to the agent context.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata