mcp-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill is a legitimate development boilerplate for the Model Context Protocol. No security vulnerabilities or malicious patterns were identified during the analysis.
- [EXTERNAL_DOWNLOADS] (SAFE): The
package.jsonfile references standard packages from the official npm registry, including@modelcontextprotocol/sdkandexpress. There are no piped command-line executions or downloads from untrusted third-party sites. - [DATA_EXFILTRATION] (SAFE): The skill demonstrates best practices by using environment variables (via
dotenv) for sensitive configuration such as API keys. No hardcoded credentials or patterns suggesting the exfiltration of local sensitive files (e.g., SSH keys or AWS configs) were detected. - [COMMAND_EXECUTION] (SAFE): The skill does not contain logic to execute arbitrary system commands. It provides standard npm scripts for building and running the server in a local development context.
- [PROMPT_INJECTION] (SAFE): The instructions in
SKILL.mdare focused on guiding the agent to generate correct code and do not include bypass attempts, jailbreak triggers, or instructions to ignore safety protocols. - [INDIRECT_PROMPT_INJECTION] (SAFE): While the templates include tools that take user-provided strings (e.g., the
echotool), this is a functional requirement of the MCP standard. The skill itself does not ingest untrusted data into the agent's context during the building process.
Audit Metadata