Skills
skills/lv416e/dotfiles/mcp-builder/Gen Agent Trust Hub

mcp-builder

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis

================================================================================

šŸ”“ VERDICT: HIGH

This skill presents a HIGH risk due to the potential for arbitrary command execution and the use of unverified external dependencies. The evaluation script allows the user to specify a command to run the MCP server, which can be exploited to execute malicious code. Additionally, the skill fetches documentation and installs packages from sources not explicitly listed as trusted, posing a supply chain risk.

Total Findings: 5

šŸ”“ HIGH Findings: ā€¢ Arbitrary Command Execution

  • Line 63 (scripts/connections.py): The stdio_client function directly executes a command (self.command) with arguments (self.args) and environment variables (self.env). This is used by scripts/evaluation.py where command and args are taken directly from command-line arguments, allowing for arbitrary command execution on the host system if a malicious command is provided by the user running the evaluation script.

šŸŸ” MEDIUM Findings: ā€¢ Unverifiable External Downloads (Documentation)

  • Line 42 (SKILL.md): The skill instructs the LLM to WebFetch documentation from https://modelcontextprotocol.io/llms-full.txt. This is a network request to a domain (modelcontextprotocol.io) not on the trusted list. While fetching documentation, it introduces a dependency on an unverified external source. ā€¢ Unverifiable External Downloads (Documentation)
  • Line 50 (SKILL.md): The skill instructs the LLM to WebFetch documentation from https://raw.githubusercontent.com/modelcontextprotocol/python-sdk/main/README.md. This fetches content from raw.githubusercontent.com (a whitelisted domain) but from the modelcontextprotocol organization, which is not on the trusted GitHub organizations list. This is an unverified external dependency. ā€¢ Unverifiable External Downloads (Documentation)
  • Line 54 (SKILL.md): Similar to the above, WebFetch from https://raw.githubusercontent.com/modelcontextprotocol/typescript-sdk/main/README.md is an unverified external dependency. ā€¢ Unverifiable External Dependencies (Packages)
  • Line 10 (scripts/requirements.txt): The scripts/requirements.txt file lists mcp>=1.1.0 as a dependency. The mcp package is not associated with a trusted organization, posing a supply chain risk upon installation. Similar unverified package installations are mentioned in reference/evaluation.md, reference/node_mcp_server.md, and reference/python_mcp_server.md.

šŸ”µ LOW Findings: ā€¢ Indirect Prompt Injection Risk

  • Line 109 (scripts/evaluation.py): The scripts/evaluation.py script passes LLM-generated tool_input directly to connection.call_tool. If the LLM is compromised or given malicious instructions, it could craft tool_input to perform malicious actions via the MCP server's tools. This is an inherent risk when processing LLM-generated content. ā€¢ Trusted External Dependency
  • Line 9 (scripts/requirements.txt): The scripts/requirements.txt file lists anthropic>=0.39.0 as a dependency. Anthropic is a trusted organization. This is noted as an external dependency but downgraded due to its trusted source.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 04:22 PM