Skills
skills/neversight/skills_feed/mcp-vods/Gen Agent Trust Hub

mcp-vods

Warn

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses npx -y mcporter and uvx mcp-vods to fetch tools at runtime. These packages are sourced from public registries (NPM and PyPI) and do not belong to the trusted organizations or repositories list. This creates a dependency on unverified third-party code.
  • [COMMAND_EXECUTION] (MEDIUM): The primary functionality is delivered through shell command execution (npx ... mcporter call). The use of external inputs like keyword and url within these shell commands could lead to command injection if the underlying mcporter or mcp-vods tools do not properly sanitize arguments.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): Both npx (Node.js) and uvx (Python/uv) are designed to download and execute code immediately. This pattern is inherently risky as it executes the latest version of remote code without manual verification or integrity checks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 20, 2026, 05:34 PM