The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The core functionality of this skill involves spawning subprocesses using the StdioClientTransport from the MCP SDK. The commands and arguments are loaded directly from a user-editable configuration file (.claude/.mcp.json), allowing for arbitrary code execution on the host system.
REMOTE_CODE_EXECUTION (HIGH): The documentation and examples frequently promote the use of npx -y to fetch and execute packages from the npm registry at runtime. This creates a supply-chain risk where malicious or typosquatted packages could be executed with the agent's privileges.
PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It retrieves tool, prompt, and resource descriptions from external MCP servers and stores them in assets/tools.json. The agent's instructions explicitly tell it to 'read assets/tools.json and intelligently select tools'. A malicious MCP server could provide descriptions containing instructions that hijack the agent's behavior during this analysis phase.
CREDENTIALS_UNSAFE (MEDIUM): The configuration file .claude/.mcp.json is designed to store API keys and other sensitive environment variables. While the documentation suggests using symlinks and .gitignore, the local storage of these secrets and their transit through the MCP manager scripts poses an exposure risk.

mcp-management