mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The file
scripts/connections.pycontains theMCPConnectionStdioclass which utilizesmcp.client.stdio.stdio_clientto execute arbitrary local commands. - Evidence: The class takes
commandandargsparameters and passes them to the underlying transport mechanism which spawns a subprocess. - Risk: While this is the intended functionality for an MCP client builder, it provides a high-privilege capability that could be exploited to run malicious code if the agent is manipulated into executing unauthorized commands.
- EXTERNAL_DOWNLOADS (LOW):
SKILL.mdcontains instructions for the agent to fetch external data from non-whitelisted domains for research purposes. - Evidence: References to
https://modelcontextprotocol.io/sitemap.xmland raw GitHub README files from themodelcontextprotocolorganization. - Risk: This creates a surface for indirect prompt injection where malicious instructions embedded in remote documentation could influence the agent's behavior during the server creation process.
- INDIRECT PROMPT INJECTION (LOW): The skill is designed to ingest untrusted data from the web and has powerful capabilities.
- Ingestion points:
SKILL.mdprompts the agent to useWebFetchon external protocol documentation and SDK READMEs. - Boundary markers: None specified for the external data ingestion.
- Capability inventory: The skill includes scripts for local command execution (
scripts/connections.py) and instructions for building/compiling code. - Sanitization: No sanitization logic is present for the fetched documentation.
Audit Metadata