mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides mechanisms to execute arbitrary tools from MCP servers using
npx tsx scripts/cli.ts call-tooland thegeminicommand. This allows the agent to run subprocesses with potentially untrusted arguments. - [REMOTE_CODE_EXECUTION] (HIGH): By design, MCP enables connection to and execution of external tools. This skill acts as a bridge to these capabilities, meaning any vulnerability in a configured MCP server or a malicious server configuration could lead to RCE on the host system.
- [CREDENTIALS_UNSAFE] (HIGH): The skill specifically targets
.claude/.mcp.jsonand.gemini/settings.json. These files typically store sensitive connection strings, API keys, and environment variables required for MCP server authentication. - [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation encourages
npm install -g gemini-cli. While the source is a trusted organization (google-gemini), global package installation and running scripts vianpxat runtime introduce supply chain risks. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection (Category 8). It ingests data from external MCP tools and saves them to
assets/tools.jsonfor LLM analysis without explicit boundary markers or sanitization logic mentioned in the documentation. If an MCP tool returns malicious instructions, the agent may obey them during the 'Intelligent Tool Analysis' phase.
Recommendations
- AI detected serious security threats
Audit Metadata