cross-border-price-compare
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill's MCP server configuration utilizes 'npx -y @shopme/cross-border-price-compare-mcp'. This command automatically downloads and executes an npm package from an untrusted author at runtime, allowing for arbitrary code execution on the host machine.
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted product data (names, descriptions, prices) from external platforms like Taobao and 1688.
- Ingestion points: Product details provided in the 'sources' array of the 'compare_price' tool.
- Boundary markers: Absent; there are no instructions to the agent to treat this data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill has full command execution capability via the npx-launched MCP server.
- Sanitization: No evidence of input validation or sanitization for the external data.
Recommendations
- AI detected serious security threats
Audit Metadata