day2-supplement-mcp
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npx skills add ai-native-camp/camp-1 --agent claude-code --yesto download and install additional agent components. This executes remote code/packages from an unverified source without user confirmation due to the--yesflag. - [COMMAND_EXECUTION]: The skill triggers shell commands (
npx) to modify the agent's skill set, effectively changing its operational capabilities at runtime. - [EXTERNAL_DOWNLOADS]: The skill references and downloads content from a GitHub repository (
ai-native-camp/camp-1) that is not part of the trusted vendors list or well-known service organizations. - [PROMPT_INJECTION]: The skill contains a 'STOP PROTOCOL' that uses aggressive override language ('Must never violate', 'Top priority rule', 'Absolutely forbidden') to force the agent to ignore standard interaction patterns and adhere to a specific, author-defined execution flow.
- [PROMPT_INJECTION]: There is a significant surface for indirect prompt injection as the skill reads content from multiple external files in the
references/directory and displays them to the user or uses them to generate responses without sanitization. - Ingestion points: Multiple files including
references/block0-concept.mdandreferences/block1-add-server.md. - Boundary markers: None identified; content is used as-is.
- Capability inventory: The agent has access to shell execution (
bash) and interactive tool calling (AskUserQuestion). - Sanitization: No evidence of validation or sanitization of the external markdown content before processing.
Recommendations
- AI detected serious security threats
Audit Metadata