mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/connections.pyandscripts/evaluation.pyfiles allow for the execution of arbitrary local commands via the MCPstdiotransport. This is intended for launching and testing local MCP servers but grants the script the ability to spawn subprocesses based on user-provided CLI arguments. - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile points to documentation and resources onmodelcontextprotocol.ioand GitHub repositories under themodelcontextprotocolorganization. These are official resources for the protocol and its SDKs. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection within the evaluation harness found in
scripts/evaluation.py. - Ingestion points: The script ingests untrusted data from an XML evaluation file and directly processes responses from the tools of the connected MCP server.
- Boundary markers: The
EVALUATION_PROMPTused inscripts/evaluation.pylacks delimiters or specific instructions to the model to ignore potential instructions embedded in tool outputs. - Capability inventory: The script can execute any tool provided by the connected MCP server, which (via
stdiotransport) can include arbitrary command execution on the local machine. - Sanitization: The script does not perform any sanitization or validation of tool outputs before passing them back into the LLM context history.
Audit Metadata