mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill directs the agent to ingest external documentation which is then used to drive code generation and execution activities. \n
- Ingestion points: The agent is instructed to use WebFetch to read sitemap.xml from modelcontextprotocol.io and README.md files from GitHub (file: SKILL.md). \n
- Boundary markers: Absent. The skill provides no delimiters or instructions to treat the external content as untrusted data. \n
- Capability inventory: The skill guides the agent to perform file writes (implementing tools), execute shell commands (npm run build, python -m py_compile), and run local servers using npx @modelcontextprotocol/inspector (file: SKILL.md). \n
- Sanitization: Absent. There is no evidence of validation or filtering of the ingested content before it is used to influence agent decisions and code generation. \n- External Downloads (MEDIUM): The skill references resources from the modelcontextprotocol GitHub organization and modelcontextprotocol.io. While these appear to be official sources, the organization is not included in the predefined list of Trusted GitHub Organizations, requiring manual verification of integrity. \n- Command Execution (LOW): The skill involves the execution of standard build and testing tools. While expected for development, these represent the final stage of a potential injection pipeline where malicious code generated from tainted documentation could be executed.
Recommendations
- AI detected serious security threats
Audit Metadata