mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's core functionality in
scripts/mcp-client.tsinvolves spawning subprocesses using commands and arguments loaded from the.claude/.mcp.jsonconfiguration file, allowing for arbitrary system command execution.\n- [REMOTE_CODE_EXECUTION] (HIGH): Documentation inREADME.mdandreferences/configuration.mdencourages the use ofnpx -yto run remote MCP servers, which downloads and executes packages from the npm registry without confirmation or version pinning.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on fetching external code at runtime via package managers, as seen in the installation and configuration guides.\n- [PROMPT_INJECTION] (LOW): Thereferences/gemini-cli-integration.mdguide suggests piping user input directly to the Gemini CLI with the-yflag, which bypasses manual confirmation for tool execution and creates a vulnerability to prompt injection attacks.\n- [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface by ingesting tool metadata from external servers intoassets/tools.json.\n - Ingestion points:
scripts/mcp-client.ts(getAllToolsmethod) collects metadata from all configured MCP servers.\n - Boundary markers: None. The metadata is stored in a JSON file and used by the LLM without delimiters or safety warnings.\n
- Capability inventory: The skill possesses the ability to execute system commands and manage network-connected servers.\n
- Sanitization: None. There is no validation of the metadata returned by remote MCP servers.
Recommendations
- AI detected serious security threats
Audit Metadata