Skills
skills/fusengine/agents/mcp-tools/Gen Agent Trust Hub

mcp-tools

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to install and run MCP servers from the npm registry using npx -y xcodebuildmcp@latest and npx -y @kimsungwhee/apple-docs-mcp. These packages are hosted under personal/untrusted accounts and are not part of the defined [TRUST-SCOPE-RULE] whitelist.
  • REMOTE_CODE_EXECUTION (HIGH): The use of npx -y results in the immediate download and execution of code from a remote registry. Executing code from untrusted sources (cameroncooke and kimsungwhee) poses a severe supply chain risk where malicious updates to these packages could compromise the host system.
  • COMMAND_EXECUTION (HIGH): XcodeBuildMCP provides tools for project discovery, build operations, and project scaffolding. This grants the agent the capability to execute complex shell commands (xcodebuild) and modify the local file system. While this is the skill's purpose, it provides an exploitable surface if the agent is influenced by malicious input.
  • PROMPT_INJECTION (MEDIUM): The skill uses strong imperative language such as 'MANDATORY validation', 'PRIORITY over Context7', and 'MANDATORY Research-First'. While these are workflow instructions, they employ patterns similar to behavior-overriding prompt injections which could be used to suppress safety constraints in an adversarial context.
  • INDIRECT PROMPT INJECTION (HIGH): The skill implements a 'Build Validation' loop where the agent is instructed to build code, read error messages, and 'Fix issues'.
  • Ingestion points: XcodeBuildMCP (build errors), apple-docs-mcp (WWDC transcripts/documentation).
  • Boundary markers: Absent. There are no instructions to ignore embedded commands within build logs or documentation data.
  • Capability inventory: XcodeBuildMCP provides file system modification (Create Project) and command execution (Build/Clean).
  • Sanitization: None detected. The agent processes raw build errors and external documentation to make code-writing decisions, creating a surface where poisoned error messages or documentation could induce the agent to write malicious code into the project.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:37 PM