The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): File SKILL.md (Phase 3.2) recommends running npx @modelcontextprotocol/inspector. This command downloads and executes a package from the npm registry at runtime. Since the @modelcontextprotocol organization is not in the Trusted Organizations list, this is an unverifiable remote code execution finding.
[COMMAND_EXECUTION] (MEDIUM): File scripts/connections.py implements the MCPConnectionStdio class which uses mcp.client.stdio.stdio_client to spawn and manage subprocesses. While this is the intended mechanism for MCP local servers, it provides a high-privilege capability that could be abused by a malicious agent to execute arbitrary local commands.
[EXTERNAL_DOWNLOADS] (LOW): The skill fetches protocol specifications and SDK README files from modelcontextprotocol.io and raw.githubusercontent.com (Phase 1.2, 1.3). These sources are not on the trusted list, though the downloads are primarily for documentation.
[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points in SKILL.md Phase 1.2/1.3 (fetching external markdown); 2. Boundary markers are absent; 3. Capability inventory includes subprocess execution in scripts/connections.py; 4. Sanitization is absent.

mcp-builder