mcp-management
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill is designed to manage MCP servers by spawning them as subprocesses via the StdioClientTransport. This is a core feature of the protocol and is controlled by the user's local configuration file (~/.claude/.mcp.json).
- [EXTERNAL_DOWNLOADS] (LOW): Documentation encourages using npx to download and execute MCP servers from the @modelcontextprotocol scope. While these are official sources, running remote code via npx always carries a baseline risk. It also suggests installing the third-party gemini-cli.
- [COMMAND_EXECUTION] (LOW): The CLI provides a call-tool command that executes functions on configured servers. While intended, this allows for the execution of arbitrary logic provided by the server implementations.
- [PROMPT_INJECTION] (LOW): The skill exhibits an Indirect Prompt Injection surface (Category 8):
- Ingestion points: Tool catalogs (assets/tools.json) and live outputs from MCP servers are ingested into the agent context.
- Boundary markers: Absent; there are no explicit delimiters used in the scripts to isolate tool outputs from agent instructions.
- Capability inventory: High; the skill can spawn local processes and perform network requests through configured servers.
- Sanitization: None; tool responses are processed as-is, which could allow a malicious server to influence the agent's behavior via poisoned data.
Audit Metadata