mcp-installer
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads and executes code from the npm registry at runtime using
npx @smithery/clito facilitate the installation of servers. - [DATA_EXFILTRATION]: Accesses sensitive application configuration files in protected directories (e.g.,
~/Library/Application Support/Claude/claude_desktop_config.json,%APPDATA%/Claude/, and various VSCode extension storage paths). These files are known to contain API keys, authentication tokens, and private user data. - [COMMAND_EXECUTION]: Uses the
rg(ripgrep) utility to perform recursive file discovery across configuration roots to locate MCP-related JSON files. - [CREDENTIALS_UNSAFE]: The logic explicitly targets and manipulates configuration fields containing high-value secrets, including
apiKey,accessToken,token, andAuthorizationheaders. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Reads existing JSON configuration files from multiple third-party applications (Claude, Cursor, Cline, etc.).
- Boundary markers: Absent; the skill merges external JSON data directly into configuration objects without sanitization or delimiters.
- Capability inventory: Includes the ability to execute
npxcommands and write to arbitrary application configuration paths. - Sanitization: No evidence of validation or sanitization for the content of the JSON files being read or the names of the servers being merged.
Audit Metadata