build-mcp-app
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFE
Full Analysis
- Sandboxed UI Architecture: The skill describes a robust security model using HTML5 sandbox attributes and Content Security Policy (CSP) to isolate interactive widgets. This prevents unauthorized access to host data while allowing controlled interaction through the @modelcontextprotocol/ext-apps library.
- Controlled Communication Channel: Interactions between the widget and the host are mediated by the App class. Capabilities like app.sendMessage allow the UI to provide structured feedback to the conversation, which is a core feature of the MCP App specification.
- Resource Management Patterns: To support visual content within restricted iframes, the skill provides patterns for server-side image processing. This allows external resources to be safely displayed as data URLs, though developers should verify the sources of these resources as a standard practice.
- Integrated SDK Support: The skill suggests using official Model Context Protocol packages and includes a mechanism to integrate the SDK into the widget's execution environment. This ensures compatibility and leverages the built-in security features of the protocol.
Audit Metadata