mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The
scripts/connections.pyfile definesMCPConnectionStdio, which utilizesstdio_clientto spawn subprocesses on the host machine using providedcommandandargs. While this is the intended transport mechanism for local MCP servers, it allows for arbitrary command execution if the input parameters are manipulated by a malicious actor or a confused agent. - REMOTE_CODE_EXECUTION (MEDIUM): The documentation in
reference/skills-api-integration.mdprovides a 'Phase 4' guide for manually or programmatically updatingconfig/mcp.jsonto register new servers. This creates a risk where an agent with file-writing capabilities could be instructed to persist a malicious command as a registered MCP server. - DATA_EXFILTRATION (LOW):
scripts/connections.pyimplementsMCPConnectionSSEandMCPConnectionHTTP, which facilitate outbound network connections to arbitrary URLs. This could be abused to exfiltrate sensitive data obtained from other tools to an attacker-controlled endpoint. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection via the MCP tool interface.
- Ingestion points: Data returned from external MCP servers through the
call_toolmethod inscripts/connections.py. - Boundary markers: Absent; the raw tool output is returned directly to the agent context.
- Capability inventory: The skill can execute local commands (via
stdio) and perform network operations (viaSSE/HTTP). - Sanitization: Absent; there is no validation or escaping of the content received from the MCP server before it is processed by the agent.
Audit Metadata