mcp-server
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/evaluation.pyuses thestdio_clientfrom themcplibrary to manage subprocesses. This functionality is intended to allow the agent to test local MCP servers by executing commands provided through CLI arguments. - [EXTERNAL_DOWNLOADS]: The workflow in
SKILL.mddirects the agent to fetch the MCP protocol specification and SDK documentation from official domains, specificallymodelcontextprotocol.ioand themodelcontextprotocolorganization on GitHub. - [PROMPT_INJECTION]: The evaluation framework provided in
scripts/evaluation.pycreates a surface for indirect prompt injection by processing external data from XML files and server outputs. - Ingestion points: Evaluation questions are parsed from user-provided XML files in
scripts/evaluation.py, and tool execution results are retrieved from the MCP server being evaluated. - Boundary markers: The harness uses XML tags such as
<summary>,<feedback>, and<response>to structure the agent's output, but it does not implement strong delimiters to separate untrusted input data from the system prompt. - Capability inventory: The environment supports subprocess execution (via
stdio_client) and network communication via SSE or HTTP transport methods. - Sanitization: Data parsed from the XML files and tool results are integrated into the LLM context without validation or escaping mechanisms.
- [DATA_EXFILTRATION]: The
scripts/evaluation.pyscript utilizes thexml.etree.ElementTreelibrary to parse evaluation XML files. This library is vulnerable to XML External Entity (XXE) attacks, which could potentially be used to expose sensitive local files if a malicious XML file is supplied as input.
Audit Metadata