use-mcp
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes the
geminiCLI using a shell pipe:echo "$ARGUMENTS" | gemini. This pattern is vulnerable to shell command injection if the$ARGUMENTSvariable contains characters such as backticks, semicolons, or subshell expansions, allowing an attacker to execute arbitrary commands on the host system. - COMMAND_EXECUTION (MEDIUM): The instruction includes the
-yflag for the Gemini CLI, which auto-approves all tool executions. This bypasses human-in-the-loop safety checks, allowing potentially dangerous MCP tools (e.g., file system access or network operations) to be executed without confirmation when triggered by malicious input. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it interpolates untrusted data directly into the model's input stream without sanitization or boundary markers.
- Ingestion points: The
$ARGUMENTSvariable inSKILL.mdis piped directly into thegeminiCLI. - Boundary markers: Absent. There are no delimiters or instructions provided to the CLI to distinguish between user data and system instructions.
- Capability inventory: The CLI has the capability to execute any tools exposed by the configured MCP servers, which could include file modification, command execution, or network access.
- Sanitization: None. The skill lacks any logic to escape shell characters or filter malicious prompt content.
- COMMAND_EXECUTION (MEDIUM): The fallback logic suggests using an
mcp-builderskill to 'fix' scripts of themcp-managementskill. This establishes a dynamic execution pattern where scripts are modified and run at runtime, which can be leveraged by an attacker to achieve persistence or escalate privileges within the agent's environment.
Audit Metadata