mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The file scripts/connections.py includes the MCPConnectionStdio class, which utilizes the mcp library to execute arbitrary local commands on the host system. This provides the agent with a direct mechanism for process execution.
- [EXTERNAL_DOWNLOADS] (LOW): SKILL.md directs the agent to fetch documentation from modelcontextprotocol.io and githubusercontent.com. According to the security policy, these are untrusted external sources, representing a risk of malicious data ingestion.
- [PROMPT_INJECTION] (HIGH): The skill presents a high-risk surface for indirect prompt injection due to its combined capabilities and ingestion points. 1. Ingestion points: External README files and API specifications are fetched via WebFetch as instructed in SKILL.md. 2. Boundary markers: The skill does not define delimiters or provide instructions to the agent to ignore embedded commands in the fetched data. 3. Capability inventory: The agent is equipped with the scripts/connections.py utility, enabling both local command execution (via stdio transport) and external network requests (via SSE and HTTP). 4. Sanitization: No sanitization or validation of the fetched external documentation is performed before it is processed by the agent. This allows an attacker to embed malicious instructions in documentation that can then leverage the agent's execution tools.
Recommendations
- AI detected serious security threats
Audit Metadata