MCP Integration
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The 'filesystem' server in 'stdio-server.json' uses 'npx -y' to fetch the '@modelcontextprotocol/server-filesystem' package from the npm registry at runtime.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The 'npx -y' pattern in 'stdio-server.json' executes code downloaded from a remote registry without version pinning or manual verification.
- [COMMAND_EXECUTION] (MEDIUM): The 'database' and 'custom-tools' servers in 'stdio-server.json' execute local files and Python modules ('db-server.js' and 'my_mcp_server'), increasing the execution surface.
- [DATA_EXFILTRATION] (LOW): The filesystem server provides the agent with read/write access to the local path '${CLAUDE_PROJECT_DIR}', which may contain sensitive user data or credentials.
- [PROMPT_INJECTION] (LOW): The filesystem access creates a surface for indirect prompt injection if the agent reads untrusted files. 1. Ingestion points: '${CLAUDE_PROJECT_DIR}' via 'stdio-server.json'. 2. Boundary markers: Absent. 3. Capability inventory: File system read/write, local command execution (python, npx), and network access (HTTP/SSE servers). 4. Sanitization: Absent.
Audit Metadata