mcp-cli
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation includes an example command that pipes search results through jq and xargs into sh -c. This pattern facilitates command injection if filenames or search results contain shell metacharacters.
- [PROMPT_INJECTION]: The skill is designed to ingest data from external MCP servers, such as filesystems and databases, which can then be processed by the agent. This creates a risk for indirect prompt injection where malicious instructions embedded in the retrieved data could override agent behavior.
- Ingestion points: Results from MCP tool calls (e.g., read_file, search_files) in SKILL.md.
- Boundary markers: Absent; there are no instructions to use delimiters or ignore embedded commands.
- Capability inventory: The agent has the ability to execute shell commands and interact with various external tools.
- Sanitization: None; the skill does not specify any validation or sanitization of data returned from MCP servers.
Audit Metadata