mcporter
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The mcporter CLI supports executing local commands through stdio, which is used to interface with local MCP servers as demonstrated by patterns like
mcporter call --stdio "bun run ./server.ts". - [EXTERNAL_DOWNLOADS]: The skill initiates the installation of the
mcporterpackage from the Node.js package registry and facilitates communication with remote MCP servers via HTTP URLs. - [DATA_EXFILTRATION]: The skill manages authentication tokens and facilitates remote tool calls to external MCP servers, which is part of its core functionality for server-to-server interaction.
- [INDIRECT_PROMPT_INJECTION]: The skill creates an ingestion point for external data from MCP server responses.
- Ingestion points: Data returned from tools called via
mcporter call(SKILL.md). - Boundary markers: Not explicitly defined in the CLI documentation for data returned from external tools.
- Capability inventory: Subprocess execution via stdio calls, network operations for remote server access, and local file access for configuration management (SKILL.md).
- Sanitization: No specific sanitization logic for third-party server output is documented within the CLI's instruction set.
Audit Metadata