mcp-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill fetches documentation and README files from
modelcontextprotocol.ioandraw.githubusercontent.com/modelcontextprotocol/. These are official sources for the protocol being implemented. - [COMMAND_EXECUTION] (SAFE): The guide recommends using standard development commands such as
npm run build,npx @modelcontextprotocol/inspector, andpython -m py_compile. These are necessary for the skill's primary purpose of software development. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill involves fetching and processing external documentation from the web. While this presents an ingestion surface for untrusted data, the risk is mitigated by the fact that the instructions point to reputable, official documentation sites.
- Ingestion points: Loading documentation via WebFetch from
modelcontextprotocol.ioand GitHub READMEs. - Boundary markers: Not explicitly defined for the fetched documentation content.
- Capability inventory: Subprocess execution (build/test commands) and file system writes (project creation).
- Sanitization: Standard markdown processing is implied; no specific sanitization of the documentation text is mentioned.
Audit Metadata