mcporter
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'mcporter' Node.js package as a dependency. This is a vendor-owned resource from malue-ai used to provide the skill's core functionality for interacting with MCP servers.
- [COMMAND_EXECUTION]: The 'mcporter' CLI supports a '--stdio' flag which allows the agent to execute local scripts and commands. This is a standard and expected feature for an MCP client to interface with local server processes.
- [PROMPT_INJECTION]: The skill facilitates processing data from external MCP servers, creating an attack surface for indirect prompt injection. 1. Ingestion points: Tool output received from HTTP endpoints or local processes via the 'call' command as documented in SKILL.md. 2. Boundary markers: Absent; the skill does not instruct the agent to use delimiters or treat tool output as untrusted. 3. Capability inventory: The skill can execute local shell commands via '--stdio' and perform network requests to arbitrary URLs. 4. Sanitization: No sanitization or validation of tool output is mentioned in the instructions.
Audit Metadata