mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/evaluation.pyscript andscripts/connections.pymodule facilitate executing local shell commands via thestdiotransport. This allows the harness to launch and manage the MCP server process being tested (e.g., using-c python -a server.pyas arguments). This is the intended primary purpose of the evaluation script and is necessary for testing local implementations. - [EXTERNAL_DOWNLOADS]: The skill guides and the
SKILL.mdfile suggest fetching protocol specifications and SDK documentation from official sources, includingmodelcontextprotocol.ioandgithub.com/modelcontextprotocol. These are recognized as trusted, well-known organizations for the Model Context Protocol. - [PROMPT_INJECTION]: The
scripts/evaluation.pyscript exhibits a surface for indirect prompt injection by processing external data. - Ingestion points: The script reads test questions from a user-supplied XML file provided via the
eval_filepositional argument. - Boundary markers: Absent. The questions are interpolated directly into the message list sent to the LLM without specific protective delimiters.
- Capability inventory: The agent in the evaluation loop can execute any tool exposed by the connected MCP server (specified via the transport CLI arguments).
- Sanitization: None. The content of the XML file is passed directly to the model. This risk is inherent to the tool's primary function of evaluating agent performance against arbitrary test sets.
Audit Metadata