Skills
skills/moto-nrw/project-phoenix/sonarqube-mcp/Gen Agent Trust Hub

sonarqube-mcp

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [Data Exposure & Exfiltration] (LOW): The tool create_webhook allows the agent to configure an arbitrary URL for webhook delivery, which could facilitate Server-Side Request Forgery (SSRF) or data exfiltration. This is a primary feature of the target platform.
  • [Data Exposure & Exfiltration] (LOW): The get_raw_source, get_system_logs, and get_system_info tools provide access to source code and server-side logs. While intended for administrative use, they expose highly sensitive information.
  • [Unverifiable Dependencies & Remote Code Execution] (LOW): The setup documentation recommends pulling an external Docker image (mcp/sonarqube) that is not listed within the trusted provider organizations.
  • [Indirect Prompt Injection] (LOW): The skill processes untrusted data from the SonarQube server which may influence agent behavior. 1. Ingestion points: get_raw_source, show_rule, search_sonar_issues_in_projects. 2. Boundary markers: Absent. 3. Capability inventory: create_webhook, change_sonar_issue_status. 4. Sanitization: Absent.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:33 PM