mcp-spy
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill accesses sensitive log files located in
~/.claude/debug/. These logs contain full message histories, tool parameters, and server responses, which may include private user information or internal data. - Evidence: Multiple commands target
~/.claude/debug/mcp-*.logfor reading and filtering. - [COMMAND_EXECUTION] (HIGH): The skill encourages the use of the
--dangerously-skip-permissionsflag when running theclaudeCLI. This flag is designed to bypass security prompts that require user approval for tool execution, significantly increasing the risk of unauthorized actions. - Evidence:
time claude --print "Run beads_ready" --dangerously-skip-permissions 2>&1 | head -1. - [PROMPT_INJECTION] (LOW): The skill demonstrates an indirect prompt injection surface by taking raw, untrusted data from log files and interpolating it into a new prompt for a different AI model (Gemini).
- Evidence: Ingestion point:
$(grep "request" ~/.claude/debug/mcp-*.log | tail -1)interpolated into a validation prompt. - Boundary markers: None present; raw content is directly injected.
- Capability inventory: Shell execution (
bash), local network access (curl), and log reading. - Sanitization: None provided; the log content is passed directly to the model.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes several system utilities (
lsof,ps,node,curl) to monitor and interact with local processes and network ports.
Audit Metadata