MCP Integration
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill configures access to external data sources and local files, creating a high-risk injection surface.
- Ingestion points: External content from GitHub (
mcp.github.com), Asana (mcp.asana.com), and local files (${CLAUDE_PROJECT_DIR}). - Boundary markers: None present; the configuration does not define delimiters or instructions to ignore embedded commands in fetched data.
- Capability inventory: File system read/write via
@modelcontextprotocol/server-filesystem, database access viadb-server.js, and execution of custom Python tools. - Sanitization: No sanitization or validation logic is defined in these configuration files.
- [Remote Code Execution] (HIGH): The
stdio-server.jsonfile utilizesnpx -yto execute a package. - Evidence:
npx -y @modelcontextprotocol/server-filesysteminexamples/stdio-server.jsondownloads and executes code from the npm registry at runtime. Since@modelcontextprotocolis not in the trusted source list, this is a high-risk operation that bypasses static code review. - [Command Execution] (MEDIUM): Multiple sections define arbitrary command execution.
- Evidence: Execution of
${CLAUDE_PLUGIN_ROOT}/servers/db-server.jsandpython -m my_mcp_serverallows the agent to run local processes with environment-variable-injected credentials.
Recommendations
- AI detected serious security threats
Audit Metadata