mcp-client
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill is designed to spawn subprocesses based on values in a JSON configuration file. It explicitly supports executing 'npx', 'python', and 'docker' with arbitrary arguments. If an attacker can modify the config file (e.g., via a separate file-write vulnerability or indirect injection), they gain full local command execution.- CREDENTIALS_UNSAFE (HIGH): The skill's documentation and examples encourage storing high-value secrets in plaintext configuration files. Evidence includes: 'GITHUB_PERSONAL_ACCESS_TOKEN', 'POSTGRES_CONNECTION_STRING' (with embedded credentials), and Zapier API keys. These are stored in locations like 'references/mcp-config.json' or '~/.claude.json'.- EXTERNAL_DOWNLOADS (MEDIUM): Several server configurations use 'npx -y', which automatically downloads and executes packages from the npm registry at runtime. This introduces a supply chain risk where a compromised or malicious package could be executed on the user's machine.- **PROMPT_INJECTION (HIGH
- Indirect):** The skill exhibits a critical vulnerability surface for indirect prompt injection.
- Ingestion points: Data enters via 'mcp_client.py' from any connected MCP server (e.g., Brave Search results, GitHub PR comments, or Zapier email bodies).
- Boundary markers: No boundary markers or 'ignore' instructions are mentioned in the documentation or configuration.
- Capability inventory: The skill possesses high-privilege capabilities including filesystem access, network operations, and database querying.
- Sanitization: No sanitization is performed on server outputs. Malicious instructions embedded in a search result or email could be interpreted as commands by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata