Skills
skills/igorwarzocha/opencode-workflows/mcp-installer/Gen Agent Trust Hub

mcp-installer

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's primary workflow involves searching for and installing packages from the npm registry using npx -y. While many references point to trusted organizations like Microsoft, Stripe, and the Model Context Protocol (MCP) organization, the workflow encourages the agent to search for and install unverified packages from the web.
  • [COMMAND_EXECUTION] (MEDIUM): The skill provides various templates for running local processes via npx, node, and bun. This includes executing commands with specific arguments (e.g., database connection strings) which could be manipulated if the agent follows unverified third-party instructions.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): The skill configures remote MCP servers that the agent connects to via URL. This pattern allows the agent to interact with and execute logic provided by remote endpoints (e.g., Figma, HubSpot, Notion), which constitutes a form of remote capability execution.
  • [CREDENTIALS_UNSAFE] (LOW): The file references/mcps/postgres.md contains a template connection string postgresql://user:password@localhost:5432/dbname. This is flagged as a potential hardcoded credential, though the file includes an explicit warning and a better alternative using environment variables ({env:DATABASE_URL}).
  • [DATA_EXFILTRATION] (SAFE): No malicious data exfiltration patterns were detected. The skill correctly utilizes environment variable interpolation for sensitive keys, which is a security best practice for avoiding secret exposure in configuration files.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill has a significant attack surface for indirect injection because it reads and acts upon data in references/mcps/*.md.
  • Ingestion points: Files in references/mcps/ are read by the agent and parsed by scripts/list_mcps.py.
  • Boundary markers: None. The agent treats the contents of these markdown files as authoritative configuration.
  • Capability inventory: The skill can execute system commands via npx, node, and bun, and can update the opencode.json configuration file.
  • Sanitization: None. If the agent "discovers" and saves a malicious MCP definition from the web to a local markdown file, it may later execute malicious commands defined in that file.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:50 PM