mcp-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface where it ingests untrusted data from external sources and possesses write/execute capabilities.
- Ingestion points: The skill instructions state 'Open/fetch that URL [GitHub URL] directly and read the install section' (SKILL.md).
- Boundary markers: There are no defined delimiters or instructions for the agent to ignore embedded commands within the fetched content.
- Capability inventory: The agent can execute
codex mcp add, runnpx/uvxcommands, and write to./.codex/config.tomland~/.codex/config.toml(SKILL.md). - Sanitization: No sanitization or validation of the fetched instructions is mentioned; the agent 'infers' launch methods directly from documentation.
- Remote Code Execution (HIGH): The skill's primary purpose is to download/reference and then execute code from external sources (GitHub repositories, npm, or HTTP endpoints).
- Evidence: The instruction 'Inspect repo docs quickly to find the official MCP launch method' allows for arbitrary command execution if the documentation is compromised. The skill explicitly supports
npx,uvx, and binary execution (SKILL.md). - Data Exposure & Persistence (HIGH): The skill modifies configuration files (
~/.codex/config.toml) that often contain environment variables and API keys. - Evidence: The skill can 'Update in place' or edit blocks directly. By adding a malicious MCP server, an attacker achieves persistence as that server will be executed in future sessions (SKILL.md).
Recommendations
- AI detected serious security threats
Audit Metadata