syncing-mcp-servers
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through configuration poisoning by propagating untrusted repository data to a global user configuration.
- Ingestion points: The skill reads server definitions from the repository-level
.vscode/mcp.jsonfile. - Boundary markers: No boundary markers or warnings are used to isolate or flag repository-provided settings before merging them into the global user config.
- Capability inventory: The skill possesses file read/write capabilities for sensitive paths (
~/.copilot/mcp-config.json) and executes shell commands via thecopilotbinary. - Sanitization: There is no evidence of validation or sanitization for
commandorargsfields in the synced JSON, which allows the propagation of arbitrary shell commands. - [COMMAND_EXECUTION]: The skill performs shell command execution to verify tool availability using the
copilotbinary. It specifically includes the--allow-all-toolsflag, which bypasses user confirmation for tool execution. This creates a risk where a malicious command injected during the sync process could be triggered automatically during the verification step. - [DATA_EXFILTRATION]: The skill reads and writes to
~/.copilot/mcp-config.json, which is a sensitive user-level configuration file. Although no explicit network exfiltration of this file's content is identified, the file may contain private server URLs, sensitive tool parameters, or access tokens for HTTP-based MCP servers.
Audit Metadata