mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a dangerous attack surface where external content is fetched and used to guide high-privilege actions.
- Ingestion points: The agent is instructed to use
WebFetchto read content frommodelcontextprotocol.ioandraw.githubusercontent.com(file: SKILL.md). - Boundary markers: Absent. There are no instructions to the agent to delimit external data or ignore instructions contained within the fetched documentation.
- Capability inventory: The skill guides the agent to write source code, create project structures, and execute build/test commands (
npm run build,npx,python). - Sanitization: Absent. There is no validation of external content before it is used to influence the agent's code generation or execution logic.
- [Unverifiable Dependencies / Remote Code Execution] (MEDIUM): The skill directs the agent to fetch and load README files from
github.com/modelcontextprotocol. Because themodelcontextprotocolorganization is not in the trusted source whitelist, these are classified as untrusted external downloads. If these files contain malicious instructions, they could lead to RCE during the suggested implementation phase. - [Command Execution] (LOW): The skill explicitly recommends executing shell commands for building and testing, such as
npm run buildandnpx @modelcontextprotocol/inspector. While common in development, these tools provide an execution path for code generated from the aforementioned untrusted external inputs.
Recommendations
- AI detected serious security threats
Audit Metadata