mcp-builder
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The connections.py script implements the stdio transport protocol using the mcp library to spawn local processes for MCP servers. This is the standard and intended behavior for local protocol integrations.
- [EXTERNAL_DOWNLOADS] (SAFE): SKILL.md directs the agent to fetch protocol specifications and SDK documentation from modelcontextprotocol.io and GitHub. These are the official and reputable sources for the protocol.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests external documentation to facilitate development. 1. Ingestion points: Documentation URLs in SKILL.md. 2. Boundary markers: None specified for docs. 3. Capability inventory: Subprocess execution and network requests provided in connections.py. 4. Sanitization: The reference/mcp_best_practices.md file provides mandatory security guidelines for input validation and sanitization.
Audit Metadata