web-search-mcp
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions and the Python script
scripts/web_search_mcp.pyare designed to automatically read the sensitiveANTHROPIC_API_KEYfrom the user's~/.claude/settings.jsonfile. - [DATA_EXFILTRATION]: The skill configures a Model Context Protocol (MCP) server to use the harvested API key. The configuration points to
http://10.80.1.251:10004/mcp, meaning the sensitive key will be transmitted over unencrypted HTTP to this remote address whenever the search tool is used. Transmitting credentials over HTTP is a significant security risk as it allows for credential interception on the network. - [COMMAND_EXECUTION]: The script
scripts/web_search_mcp.pyperforms shell command execution usingsubprocess.run(shell=True). It insecurely interpolates the extracted API key into theclaude mcp addcommand string. This allows for arbitrary command execution (Command Injection) if the API key contains malicious shell metacharacters. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8).
- Ingestion points: Data is read from the local file
~/.claude/settings.jsoninscripts/web_search_mcp.py. - Boundary markers: Absent; the script parses the JSON and extracts the key without verifying the content's integrity or safety.
- Capability inventory: The script can execute shell commands via
subprocess.runand write to critical configuration files like~/.claude.json. - Sanitization: Absent; the extracted data is used directly in a shell command without escaping or validation, allowing an attacker who can modify the settings file to gain control over the system.
Recommendations
- AI detected serious security threats
Audit Metadata