qdrant-codebase-search
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the download of an external package,
@mhalder/qdrant-mcp-server@3.3.1, from the npm registry, which is a well-known service. This is used to run the core MCP server functionality. - [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute the downloaded package using
npx -y. This execution pattern is necessary for the skill's primary function of providing an MCP server. - [COMMAND_EXECUTION]: The provided scripts
scripts/setup-mcp.shandscripts/check-health.shexecute various system commands, includingclaude mcp add,mkdir,curl, andnode. These are used for configuring the agent environment and verifying infrastructure readiness. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted external data (the user's codebase and git history) to build a searchable index.
- Ingestion points: Untrusted data enters the agent context through the
index_codebaseandindex_git_historytools, which read source files, comments, and commit messages. - Boundary markers: The skill includes explicit warnings in
SKILL.mdandreferences/configuration.md(Security Guardrails sections) instructing the agent to treat indexed content as context only and not as trusted instructions. - Capability inventory: The skill has the capability to execute shell commands (via the setup scripts and the configured MCP server) and access the local file system (required for indexing).
- Sanitization: No specific content sanitization or filtering logic is present in the provided shell scripts; the safety relies on the agent's interpretation and the warnings provided in the documentation.
Audit Metadata