Skills
skills/mathews-tom/armory/mcp-to-skill/Gen Agent Trust Hub

mcp-to-skill

Warn

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill instructions direct the agent to read local configuration files to extract server connection details and tool definitions.
  • Evidence: SKILL.md (Phase 1) lists paths such as ~/Library/Application Support/Claude/claude_desktop_config.json, ~/.claude/settings.json, and .cursor/mcp.json.
  • [COMMAND_EXECUTION]: The workflow involves running a local Python script for analysis and provides templates for generating shell command sequences.
  • Evidence: SKILL.md (Phase 5) instructs the agent to execute the provided scripts/estimate_tokens.py script.
  • Evidence: references/replacement-patterns.md contains templates for executing bash, curl, and various CLI tools.
  • [EXTERNAL_DOWNLOADS]: The documentation provides instructions for acquiring well-known CLI utilities from their official sources.
  • Evidence: references/environment-guide.md includes a "CLI Installation Quick Reference" with commands for installing tools like gh, aws, and kubectl using brew or apt.
  • [REMOTE_CODE_EXECUTION]: The skill provides patterns for processing data retrieved from remote URLs which can involve execution in a local shell or script environment.
  • Evidence: references/replacement-patterns.md includes examples of piping curl outputs into jq or python3 for processing and transformation.
  • [PROMPT_INJECTION]: The instructions contain meta-directives designed to influence the behavior of the platform's skill selection and triggering logic for the generated output.
  • Evidence: SKILL.md (Phase 4) explicitly instructs the agent to create "pushy" descriptions and "aggressive triggers" in the generated skill's frontmatter.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted data from external sources and local files without explicit sanitization or boundary markers.
  • Ingestion points: SKILL.md (Phase 1) reads user-provided tool schemas, MCP server source code, and data from package registries like npm or pip.
  • Boundary markers: The instructions do not specify the use of delimiters or instructions to ignore embedded commands within the ingested data.
  • Capability inventory: The agent environment provides access to bash, python3, and network operations.
  • Sanitization: The instructions lack requirements for validation or sanitization of the content before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 16, 2026, 11:56 PM