mcporter
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the mcporter CLI which supports executing local shell commands and scripts through the --stdio flag (e.g., mcporter call --stdio "bun run ./server.ts"). This provides a powerful capability to launch and interact with local processes.
- [EXTERNAL_DOWNLOADS]: The installation metadata defines a step to download and install the mcporter package from the public Node.js (npm) registry.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external MCP servers. (1) Ingestion point: Output from mcporter call commands. (2) Boundary markers: None specified in the instructions. (3) Capability inventory: Subprocess execution via --stdio and network requests via HTTP. (4) Sanitization: No explicit sanitization or validation of server responses is defined.
Audit Metadata