mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The 'MCPConnectionStdio' class in 'scripts/connections.py' facilitates the execution of local system commands to start MCP servers.
- Evidence: The '_create_context' method (lines 80-84) passes 'self.command' and 'self.args' directly to the 'stdio_client' from the 'mcp' library.
- Risk: This represents a command injection surface if the command or arguments are dynamically generated from untrusted data or unvalidated LLM outputs.
- EXTERNAL_DOWNLOADS (LOW): The skill supports connecting to remote MCP servers via SSE and HTTP transports.
- Evidence: 'MCPConnectionSSE' (line 98) and 'MCPConnectionHTTP' (line 111) in 'scripts/connections.py' connect to arbitrary URLs provided at runtime.
- Risk: Without a URL allowlist, this capability can be abused for unauthorized network requests or data exfiltration.
- INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process outputs from external MCP servers, creating an injection surface.
- Ingestion points: Data returned by 'call_tool' in 'scripts/connections.py' (line 66).
- Boundary markers: None. Data is returned directly as tool content.
- Capability inventory: Subprocess spawning ('stdio_client') and network communication ('sse_client', 'streamablehttp_client').
- Sanitization: No validation or sanitization of content returned from the MCP server is performed before it reaches the agent context.
Audit Metadata