mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The core functionality of the skill is to spawn subprocesses using
StdioClientTransport. It executes thecommandandargsdefined in the.claude/.mcp.jsonconfiguration file. - Evidence: In
scripts/mcp-client.ts, theconnectToServermethod initializesStdioClientTransportwith user-defined commands and environment variables. - REMOTE_CODE_EXECUTION (HIGH): The skill's documentation explicitly encourages the use of
npx -yto download and execute remote MCP server packages at runtime. This bypasses local security audits of the executed code. - Evidence:
references/configuration.mdprovides examples usingnpx -y @modelcontextprotocol/server-memoryand other remote packages. - PROMPT_INJECTION (HIGH): Indirect Prompt Injection Surface. The skill enables an agent to process untrusted external data (via web search or filesystem tools) and then use that data to decide which tools to execute next.
- Ingestion points:
scripts/mcp-client.ts(via tool outputs) andscripts/cli.ts(via CLI arguments). - Boundary markers: No specific boundary markers or instruction isolation techniques are implemented in the tool call logic.
- Capability inventory: Full subprocess execution capability via
StdioClientTransportand potential filesystem/network access depending on configured servers. - Sanitization: No sanitization of tool arguments or configuration values is performed before execution.
- CREDENTIALS_UNSAFE (LOW): The configuration guide suggests storing sensitive API keys directly in the
.claude/.mcp.jsonfile or environment variables, which could be exposed if the local environment is compromised. - Evidence:
references/configuration.mdshowsBRAVE_API_KEYbeing stored in theenvblock of the JSON configuration.
Recommendations
- AI detected serious security threats
Audit Metadata