mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The file
scripts/connections.pyimplements anMCPConnectionStdioclass that uses thestdio_client. This client is designed to spawn local subprocesses using a user-providedcommandandargs. While necessary for the skill's purpose of testing local MCP servers, this provides a mechanism for arbitrary command execution. - EXTERNAL_DOWNLOADS (LOW): The
SKILL.mdinstructions guide the agent to fetch documentation from several remote sources, includingmodelcontextprotocol.ioandraw.githubusercontent.com/modelcontextprotocol/. While these appear to be the official protocol sources, they are not on the explicit trusted source list and represent external data ingestion. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill explicitly instructs the agent to use
WebFetchto load remote markdown files from GitHub and the official MCP website to "study framework documentation." - Boundary markers: There are no instructions for the agent to use delimiters or ignore instructions embedded within the downloaded documentation.
- Capability inventory: The skill includes scripts capable of spawning subprocesses (
scripts/connections.py) and instructs the agent to run build commands (npm run build) and syntax checks (python -m py_compile). - Sanitization: No sanitization or validation of the remote content is performed before it is processed by the agent.
Audit Metadata