Xano Backend Builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The README.md and .env.example files instruct users to store the XANO_MCP_TOKEN in shell profiles like ~/.zshrc or ~/.bashrc. This is a poor security practice as these files are frequently targeted by credential-harvesting malware and are often accidentally leaked via dotfile repositories.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from an external Xano workspace and has powerful write/management capabilities. * Ingestion points: Data and metadata fetched from the Xano workspace URL (defined in XANO_MCP_URL) via the MCP SSE connection. * Boundary markers: Absent. There are no instructions or delimiters in the provided files to prevent the agent from obeying instructions embedded within retrieved database content. * Capability inventory: As per the README.md, the skill allows the agent to build backend services and 'Create a test table', implying schema and data modification privileges. * Sanitization: Absent. There is no evidence of filtering or sanitization of the content returned from the external Xano API.
- [DATA_EXFILTRATION] (MEDIUM): While the skill does not contain explicit exfiltration code, the configuration in .mcp.json sends the user's secret XANO_MCP_TOKEN to the URL defined in XANO_MCP_URL. If a user is tricked into setting a malicious URL in their environment variables, their access token will be exfiltrated to an attacker-controlled endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata