mcp-plugin
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [Command Execution] (SAFE): The skill utilizes the Bash tool to execute Python commands and scripts for managing TCP communication with the Unreal Editor on localhost. This is the intended behavior for the skill.
- [Indirect Prompt Injection] (LOW): The skill ingests data from external sources within the Unreal Engine project (e.g., blueprints, asset lists) and possesses powerful capabilities like function execution and asset creation.
- Ingestion points: Data is ingested through tools like
scan_blueprint,list_assets, andget_node_locationsvia the TCP server. - Boundary markers: No explicit delimiters or instructions to ignore embedded content are provided in the prompt templates.
- Capability inventory: The skill can execute Unreal functions via
call_function, create/modify assets viabuild_to_asset, and run local shell commands via the Bash tool. - Sanitization: Safety is mitigated by a hardcoded allowlist of permitted functions for
call_functionand path validation requiring/Game/or/Engine/prefixes with no parent directory traversal (..) allowed.
Audit Metadata