crawl
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script scripts/crawl.sh recursively searches the ~/.mcp-auth/ directory for *_tokens.json files to extract access tokens. This directory is a sensitive location where credentials for various services are stored.
- [EXTERNAL_DOWNLOADS]: The bash script executes npx -y mcp-remote, which triggers a download and execution of the mcp-remote package from the npm registry at runtime to facilitate the OAuth flow.
- [DATA_EXFILTRATION]: Authentication tokens extracted from the user's local files are transmitted to the remote endpoint https://mcp.tavily.com/mcp.
- [PROMPT_INJECTION]: The skill ingests data from arbitrary external URLs. This content is processed without sanitization or boundary markers, creating a surface for Indirect Prompt Injection. Ingestion points: Arbitrary website URLs provided via the url parameter. Boundary markers: Absent. Capability inventory: Performs network requests and writes files. Sanitization: None.
- [COMMAND_EXECUTION]: The skill makes extensive use of shell commands (find, jq, curl, npx) and subprocess calls to interact with the operating system and network.
Recommendations
- AI detected serious security threats
Audit Metadata