mcp-apps
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes instructions for executing local scripts such as
scripts/init_mcp_app.pyand common development utilities likenpx cloudflaredfor local tunnel creation during testing. - [EXTERNAL_DOWNLOADS]: Projects generated by this skill depend on standard Node.js packages from the official Model Context Protocol ecosystem and well-known libraries such as Express and Vite.
- [PROMPT_INJECTION]: The skill establishes an interaction layer where UI components can process data from server tools and update the AI model's conversation context. This functionality represents an inherent surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the UI through the
app.ontoolresultcallback as demonstrated in the boilerplate logic. - Boundary markers: The UI runs within a sandboxed iframe on the host side, providing a core security boundary.
- Capability inventory: UI components can trigger server-side tool execution via
app.callServerTooland modify the host's context viaapp.updateModelContext. - Sanitization: The provided boilerplate code includes an
escapeHtmlutility to sanitize data before rendering it in the UI, mitigating potential cross-site scripting (XSS) risks. - [SAFE]: The skill is transparently documented, relies on trusted libraries, and does not contain malicious obfuscation, persistence mechanisms, or unauthorized data exfiltration patterns.
Audit Metadata