fastmcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to build servers that ingest untrusted data from external sources like APIs (OpenAPI), databases, and file systems. This content is then presented to the agent's context. There is a high risk that an attacker controlling an external API response or database record could inject instructions to override agent logic.
- Ingestion Points: API responses (via OpenAPI/FastAPI integration), database records, and file system content.
- Boundary Markers: Not explicitly mentioned or implemented in the provided README templates.
- Capability Inventory: Tools for file system access, database interaction, and execution of arbitrary logic via the FastMCP framework.
- Sanitization: Mentions Pydantic validation for schema consistency, which provides some structural safety but does not prevent natural language instruction injection.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of the
fastmcppackage from an untrusted GitHub repository (jlowin/fastmcp). As this source is not within the defined trusted scope, the risk of dependency-based attacks is present. - [COMMAND_EXECUTION] (MEDIUM): The skill references several scripts (
test-server.sh,deploy-cloud.sh) and capabilities for wrapping system-level services. These provide the agent with the ability to execute commands and interact with the host environment, which increases the impact if an injection occurs.
Recommendations
- AI detected serious security threats
Audit Metadata