agentic-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of external MCP servers using the stdio transport by spawning processes with commands and arguments specified in the local mcp-servers.json configuration file.\n- [COMMAND_EXECUTION]: The CLI automatically spawns the background daemon process using node or tsx if it is not already running.\n- [EXTERNAL_DOWNLOADS]: The default configuration facilitates the retrieval and execution of the @playwright/mcp package from the npm registry using npx, which is a well-known service.\n- [DATA_EXFILTRATION]: The daemon component establishes network connections to remote MCP servers via HTTP and SSE protocols and utilizes local sockets for inter-process communication.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of untrusted data from external MCP servers.\n
- Ingestion points: Tool metadata and execution results are ingested in src/client.ts via the listTools and callTool methods.\n
- Boundary markers: Absent; external results are returned directly to the agent's context without explicit delimiters or warnings.\n
- Capability inventory: The skill can spawn subprocesses (spawn) and perform network operations (net, http).\n
- Sanitization: None detected; external tool output is processed as JSON.
Audit Metadata