filesystem-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability tier for indirect prompt injection.
- Ingestion points: The
read_fileandlist_directorytools allow the agent to ingest external, potentially untrusted data from the local filesystem into its context (File: SKILL.md). - Boundary markers: No specific delimiters or 'ignore instructions' warnings are defined to separate untrusted file content from system instructions.
- Capability inventory: The skill includes high-impact tools such as
write_fileandmove_filewhich allow for system state modification (File: SKILL.md). - Sanitization: There is no evidence of content sanitization or validation of the data being read before it influences agent behavior.
- Data Exposure & Exfiltration (HIGH): The
read_fileandlist_directorytools allow the agent to access arbitrary absolute or relative paths. Without strict OS-level sandboxing, this enables the exposure of sensitive files such as SSH keys, environment variables, or configuration files to the agent's context. - Privilege Escalation (HIGH): The
write_fileandmove_filetools provide the capability to overwrite local files. In an environment with insufficient permissions isolation, this could be used to modify startup scripts (e.g., .bashrc) or system configurations to achieve persistence or escalate privileges. - Metadata Analysis (MEDIUM): The skill claims to be an 'Official' server in its metadata (File: SKILL.md), which may lead users to assume a higher level of safety than the inherent capabilities of the tool actually provide.
Recommendations
- AI detected serious security threats
Audit Metadata