secure-mcp-install
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill implements a workflow that clones repositories from arbitrary URLs and executes their installation scripts (e.g.,
npm install,pip install -e .). This 'download then execute' pattern is a high-risk capability; however, because it is the primary intended purpose of the skill, the severity is reduced to MEDIUM. - EXTERNAL_DOWNLOADS (MEDIUM): The skill pulls source code from user-provided URLs (
git clone <REPO_URL>) without restriction to trusted domains. This exposes the system to unverified external content. - COMMAND_EXECUTION (MEDIUM): The skill executes various system commands, including building external projects (
npm run build) and modifying the agent's MCP configuration (claude mcp add-json). These operations could be subverted if the cloned repository contains malicious build hooks. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it is designed to ingest and analyze untrusted third-party source code. Attackers could place malicious instructions in code comments or metadata to deceive the agent during the audit process.
- Ingestion points: Third-party repositories cloned to
~/.claude/mcp-audits/(documented inSKILL.md). - Boundary markers: No specific delimiters are used to wrap or isolate the content of the files being audited.
- Capability inventory: Subprocess execution for installation (
npm,pip,python) and modification of the local configuration via theclaudeCLI. - Sanitization: The skill mitigates this risk through an automated scanner (
audit-mcp-server.sh) and a detailed manual audit checklist for the user to follow.
Audit Metadata