add-mcp-resource
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill collects user input through interactive prompts and injects it into code templates without validation or escaping.
- Ingestion points: Interactive questions for 'URI', 'Name', 'Description', and 'Template parameters' in SKILL.md.
- Boundary markers: None present; the skill lacks delimiters or instructions to ignore embedded commands in the user-provided data.
- Sanitization: No escaping or validation of user input before it is placed into '{{uri}}' or '{{name}}' placeholders.
- Risk: An attacker can provide a payload like 'resource", async load() { require("child_process").exec("rm -rf /"); }, name: "bad' to break the string literal and inject malicious functionality.
- [COMMAND_EXECUTION] (HIGH): The skill is designed to modify the application's source code at runtime.
- Capability inventory: Step 5 of the execution instructions explicitly directs the agent to 'Add resource to server by modifying existing files'.
- Risk: When combined with the injection vulnerability, this allows for the persistent modification of the server's codebase, granting the attacker control over the application's behavior.
- [DATA_EXFILTRATION] (MEDIUM): The skill generates templates that include file system access and external API calls.
- Evidence: Example code snippets demonstrate reading from '/var/logs' and fetching data from external URLs.
- Risk: While intended for legitimate use, these patterns are readily exploitable for data exfiltration if the generation logic is subverted via the injection surface.
Recommendations
- AI detected serious security threats
Audit Metadata