Skills
skills/evolv3-ai/vibe-skills/admin-mcp/Gen Agent Trust Hub

admin-mcp

Warn

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The PowerShell scripts scripts/add-mcp-server.ps1 and scripts/diagnose-mcp.ps1 perform high-impact system operations, including modifying critical configuration files, querying process information via WMI, and terminating/starting local processes like 'Claude'.
  • [EXTERNAL_DOWNLOADS]: The skill's primary workflows (documented in SKILL.md and references/INSTALLATION.md) rely on downloading and installing external software via npx, npm, and git clone. While many examples target trusted organizations, the mechanism allows for the installation of any arbitrary remote package.
  • [DATA_EXFILTRATION]: The scripts/diagnose-mcp.ps1 tool aggregates sensitive system state into a diagnostic report. This includes the full system and user PATH, a list of all running Node.js processes with their full command-line arguments, and the last 20 lines of the Claude Desktop application logs. Although the script contains logic to redact values associated with keys like 'KEY' or 'TOKEN', the breadth of system metadata collected represents a data exposure risk.
  • [REMOTE_CODE_EXECUTION]: The core functionality of the skill is to configure Claude Desktop to run external 'MCP servers'. This provides a direct path for executing external code. If the agent is successfully manipulated into installing a malicious server, that code would execute with the user's local permissions.
  • [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection (Category 8). An attacker could provide malicious instructions that trick the agent into using the included management scripts for unauthorized purposes.
  • Ingestion points: The scripts accept parameters such as $Name, $Command, and $Args which are then written directly into the claude_desktop_config.json file.
  • Boundary markers: There are no boundary markers or validation steps to ensure that the server being added or the diagnostic report being generated is requested by the legitimate user.
  • Capability inventory: The skill has the capability to write to the filesystem, stop/start applications, and discover system environment details.
  • Sanitization: There is no sanitization or verification of the URLs, package names, or file paths provided as arguments to the scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 25, 2026, 05:56 PM