mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- Remote Code Execution (HIGH): The skill executes arbitrary commands specified in
.claude/.mcp.jsonusingStdioClientTransport. This provides a direct path for code execution if the configuration is malicious or tampered with. - External Downloads (HIGH): Documentation recommends using
npx -yto download and run packages like@modelcontextprotocol/server-memoryand@modelcontextprotocol/server-filesystemwithout version pinning or source verification. - Indirect Prompt Injection (HIGH): The skill handles untrusted data from external MCP servers entering the agent context without sanitization or boundary markers. (1) Ingestion points:
scripts/mcp-client.tsfunctionsgetAllTools,getAllPrompts, andgetAllResources. (2) Boundary markers: Absent; no instructions are provided to the agent to treat server outputs as untrusted. (3) Capability inventory: High-privilege command execution and file writing (assets/tools.json). (4) Sanitization: Absent. - Command Execution (HIGH): The CLI tool (
scripts/cli.ts) facilitates the execution of arbitrary tools on connected servers, which includes filesystem access and browser automation capabilities. - Credentials Unsafe (MEDIUM): The configuration guide provides examples of hardcoding API keys in
.claude/.mcp.json, which could lead to credential exposure if the configuration file is accidentally shared or committed to version control.
Recommendations
- AI detected serious security threats
Audit Metadata