mcp-integration
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill creates a significant surface for Indirect Prompt Injection by bridging external tool servers to the agent's core reasoning loop.\n
- Ingestion points: Untrusted data enters the skill via
mcpManager.connectServer(fetching tool schemas) andmcpManager.callTool(fetching execution results) insrc/index.js.\n - Boundary markers: The skill fails to use delimiters or 'ignore' instructions when returning tool outputs. The result is stringified and returned as raw text in the tool content in
src/index.js.\n - Capability inventory: The skill enables the agent to invoke arbitrary capabilities on configured servers, which frequently include file system modifications or shell command execution.\n
- Sanitization: No validation or sanitization of the JSON-RPC content from remote servers is performed before presentation to the agent.\n- COMMAND_EXECUTION (MEDIUM): While the current implementation uses HTTP transport, the
configSchemainconfig/openclaw.plugin.jsonexplicitly supportsstdiotransport withcommandandargsfields. This indicates the skill's capability to spawn and interact with arbitrary local processes based on user configuration.\n- EXTERNAL_DOWNLOADS (LOW): The skill is designed to connect to and download data from remote endpoints configured by the user. While this is the intended function of an MCP client, it creates a dependency on external infrastructure that can influence the agent's safety profile.
Recommendations
- AI detected serious security threats
Audit Metadata