mcp-integration
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (MEDIUM): The instructions use extremely assertive language such as 'ABSOLUTE REQUIREMENT
- NEVER SKIP THIS STEP' and 'MANDATORY' to override the agent's default reasoning processes.
- Indirect Prompt Injection (MEDIUM): The framework mandates fetching validation rules from external sources and treating them as the 'source of truth', creating a vulnerability surface. (1) Ingestion points: docs-management skill, Perplexity AI queries, and local .mcp.json files. (2) Boundary markers: None present to delimit external data. (3) Capability inventory: Execution of 'claude mcp' CLI commands based on discovered state. (4) Sanitization: None; the framework explicitly relies on the 'official' status of content.
- Command Execution (LOW): The framework requires the agent to execute system commands ('claude mcp list' and 'claude mcp get') to discover configuration state on the host machine.
- Credentials Management (LOW): The document 'credential-patterns.md' incorrectly labels hardcoding credentials in local user settings as 'acceptable', which is a best-practice violation despite correctly flagging project-level exposure as critical.
Audit Metadata