mcp-server-oauth
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Network Operations (SAFE): The scripts
check-oauth-status.js,discover-oauth.js, andexchange-token.jsperform network requests to external servers. This behavior is the primary purpose of the skill (probing MCP servers and communicating with OAuth providers) and is directed by user-provided URLs. - Indirect Prompt Injection (LOW): Surface area for untrusted data ingestion exists in the discovery scripts.
- Ingestion points:
check-oauth-status.jsanddiscover-oauth.jsparse JSON bodies and headers from remote servers. - Boundary markers: Absent; the scripts directly output data extracted from remote responses.
- Capability inventory: Network access via Node.js
fetch. - Sanitization: The scripts perform standard JSON parsing. While they do not explicitly sanitize URL strings, the impact is limited to the tool's output being interpreted by the agent.
- Dependency Management (SAFE): The skill does not include a
package.jsonor external dependencies, utilizing built-in Node.js 18+ APIs (crypto,fetch,AbortController), which minimizes supply chain risks.
Audit Metadata