Skills
NYC
skills/letta-ai/skills/mcp-builder/Gen Agent Trust Hub

mcp-builder

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The MCPConnectionStdio class in scripts/connections.py utilizes mcp.client.stdio.stdio_client to spawn subprocesses. This allows for arbitrary command execution on the host machine if the command or args parameters are not strictly validated.
  • REMOTE_CODE_EXECUTION (HIGH): The skill's primary function is to run and interact with MCP servers. Executing unverified local binaries or connecting to untrusted remote servers provides a direct path for remote code execution.
  • EXTERNAL_DOWNLOADS (MEDIUM): Through MCPConnectionSSE and MCPConnectionHTTP, the skill can connect to arbitrary network endpoints. This facilitates Server-Side Request Forgery (SSRF) if the target URL is provided by an untrusted source.
  • DATA_EXFILTRATION (MEDIUM): The network transport classes (SSE and HTTP) can be abused to transmit sensitive information from the agent's environment to external servers controlled by an attacker.
  • INDIRECT_PROMPT_INJECTION (HIGH):
  • Ingestion points: scripts/connections.py in the call_tool method, which ingests raw data from external tools/servers.
  • Boundary markers: Absent. The skill does not implement delimiters or warnings to treat external tool output as untrusted.
  • Capability inventory: Includes subprocess execution (stdio_client) and network requests (sse_client, streamablehttp_client).
  • Sanitization: Absent. Data returned from MCP tools is passed back to the agent without any filtering or validation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 11:54 PM