mcp

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] benign: The fragment is a documentation-driven specification for MCP client/server management. The capabilities described (server management, tool interaction, registry, and resources access) are coherent with the stated purpose. No malicious logic or covert data exfiltration is evident; credential-related references in examples are placeholders and align with best practices when used correctly. The main risk stems from handling credentials in configs or logs, but that is a standard risk for such tooling and is mitigated by recommended practices in the document. LLM verification: This SKILL.md documents a legitimate-looking MCP management skill whose capabilities match its stated purpose. The main security concerns are supply-chain and privilege exposure: examples use npx to auto-install and run remote MCP server packages (remote code execution risk), the filesystem server can read arbitrary host files, and configurations show passing tokens (GITHUB_TOKEN) to server processes. These behaviors are consistent with the documented features but are high-risk operationally if