arista-cvp
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires downloading content from an untrusted GitHub repository (
noredistribution/mcp-cvp-fun) which is not associated with the author or a trusted organization. - [REMOTE_CODE_EXECUTION]: The skill executes a Python script (
mcp_server_rest.py) from the downloaded repository usinguv run, allowing arbitrary code execution from an unverified source. - [COMMAND_EXECUTION]: Shell commands are used to clone the repository and run the MCP server.
- [CREDENTIALS_UNSAFE]: Requires a service account token (
CVPTOKEN) for infrastructure access. The documentation states that TLS verification is disabled in the source, creating a high risk of credential exposure through man-in-the-middle attacks. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection.
- Ingestion points: Data is fetched from CloudVision API endpoints (inventory, events, connectivity) into the agent's context (SKILL.md).
- Boundary markers: Absent; there are no delimiters to separate untrusted API data from instructions.
- Capability inventory: The
create_tagtool performs multiple POST requests to modify the network state (workspace creation, tag creation, build, submit) in SKILL.md. - Sanitization: No validation or escaping is mentioned for data retrieved from external sources or user-provided parameters.
Recommendations
- AI detected serious security threats
Audit Metadata