mcp-management
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The core functionality of the skill (found in
scripts/mcp-client.ts) involves spawning subprocesses viaStdioClientTransport. This is the intended primary purpose of the skill to run MCP servers. The commands and arguments are sourced from a local configuration file (.claude/.mcp.json). - EXTERNAL_DOWNLOADS (LOW): The skill documentation (
README.md,references/gemini-cli-integration.md) recommends installing thegemini-cli(a tool from the trustedgoogle-geminiorganization) and various MCP servers usingnpmandnpx. While these involve external downloads, they are standard components of the MCP ecosystem. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it fetches and processes data from external MCP servers without applying strict boundary markers or sanitization.
- Ingestion points: Data is ingested through
getAllTools,getAllPrompts, andgetAllResourcesmethods inscripts/mcp-client.tswhich communicate with external servers. - Boundary markers: No specific delimiters or security instructions are used when presenting the output of MCP servers to the agent.
- Capability inventory: The skill can execute arbitrary commands (configured as MCP servers) and perform file-write operations (
assets/tools.json). - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from external MCP servers.
Audit Metadata