mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [Command Execution] (HIGH): The skill provides a CLI for calling MCP tools (
npx tsx scripts/cli.ts call-tool). Since MCP tools are external executables or scripts defined in the.claude/.mcp.jsonconfiguration, this allows for arbitrary command execution on the host system depending on the configured servers. - [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from external MCP servers to build a tool catalog.
- Ingestion points: Dynamic responses from MCP servers listed in
.claude/.mcp.jsonare saved toassets/tools.jsonand analyzed by the LLM. - Boundary markers: None. The skill documentation suggests the LLM analyzes
assets/tools.jsondirectly for tool selection, which could contain malicious instructions embedded in tool descriptions. - Capability inventory: High. The skill can execute tools via
scripts/cli.tsandgemini -y, creating a direct path from untrusted metadata to code execution. - Sanitization: No sanitization or validation of the schemas provided by external MCP servers is mentioned.
- [Credentials Unsafe] (MEDIUM): The skill specifically targets
.claude/.mcp.jsonand.gemini/settings.json. These files are standard storage locations for MCP server configurations which frequently contain sensitive API keys and authentication tokens for third-party services. - [External Downloads] (LOW): The skill recommends installing
gemini-cli. Per [TRUST-SCOPE-RULE],google-gemini/gemini-cliis a trusted repository, so this download is classified as LOW severity despite its powerful capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata