claude-peers-mcp
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires downloading external source code from a repository not associated with the skill author or a trusted organization (
github.com/louislva/claude-peers-mcp.git). - [REMOTE_CODE_EXECUTION]: The instructions direct the user to execute the unverified downloaded code using the Bun runtime (
bun ~/claude-peers-mcp/server.ts) to serve as an MCP backend. - [COMMAND_EXECUTION]: The documentation explicitly encourages users to launch Claude with the
--dangerously-skip-permissionsflag. This flag bypasses the agent's standard security guardrails, allowing it to perform file system operations and execute shell commands without requesting user confirmation. - [DATA_EXFILTRATION]: The 'Auto-Summary' feature extracts local environment metadata—including the current working directory, git branch names, and lists of recently accessed files—and sends this data to an external OpenAI API endpoint if an API key is provided.
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by creating a messaging channel between agents.
- Ingestion points: Untrusted data enters the agent context via the
send_messageandcheck_messagestools defined inSKILL.md. - Boundary markers: The skill lacks instructions or delimiters to warn the agent against obeying instructions contained within peer messages.
- Capability inventory: The skill combined with the recommended
--dangerously-skip-permissionsflag provides full shell and file system access. - Sanitization: There is no evidence of sanitization or filtering for the content exchanged between peers, allowing one agent to potentially command another.
Audit Metadata