arista-cvp
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to clone a repository from an untrusted source (
https://github.com/noredistribution/mcp-cvp-fun) that is not affiliated with the skill author ('automateyournetwork') or any trusted organization. - [REMOTE_CODE_EXECUTION]: The entry point command
uv run --with fastmcp fastmcp run /path/to/mcp_server_rest.pyexecutes a script downloaded from the untrusted repository at runtime. - [COMMAND_EXECUTION]: The skill relies on executing shell commands (
git clone,uv run) to install and start the MCP server, providing a path for arbitrary code execution if the remote repository is compromised. - [CREDENTIALS_UNSAFE]: The skill requires a sensitive service account token (
CVPTOKEN) for authentication to Arista CloudVision Portal. The documentation acknowledges that 'TLS verification is disabled in source,' which exposes this token to interception via Man-in-the-Middle (MitM) attacks. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
- Ingestion points: The tools
get_inventory,get_events, andget_connectivity_monitoringest data from the external CloudVision Portal (CVP). - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present to prevent the agent from obeying instructions embedded in device names or event descriptions.
- Capability inventory: The skill possesses write capabilities through the
create_tagtool, which performs a multi-step POST request workflow to the CVP API. - Sanitization: There is no evidence of sanitization or validation of the data retrieved from CVP before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata