native-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill launches local subprocesses for stdio-based servers using user-defined commands and arguments (e.g., npx, uvx) from the agent configuration file.
- [EXTERNAL_DOWNLOADS]: The documentation encourages the installation of the mcp Python SDK and the use of package runners like npx and uvx, which download and execute packages from remote registries at runtime.
- [PROMPT_INJECTION]: The skill supports the MCP 'sampling' capability by default, allowing external servers to request LLM completions through the agent, which introduces an indirect prompt injection surface. Ingestion points: Tool results from external servers and server-initiated completion requests entering the agent context. Boundary markers: The skill redacts common credential patterns from error messages, but does not specify delimiters for general tool output. Capability inventory: The skill permits subprocess spawning (command execution) and HTTP network communication. Sanitization: Implements automatic redaction of GitHub PATs, OpenAI-style keys, and generic secret patterns (API_KEY, password) in error messages.
- [DATA_EXFILTRATION]: Configuration settings allow users to explicitly pass sensitive environment variables and HTTP headers to external servers, which is standard for authenticated tool access but involves transmitting secrets to external endpoints.
Audit Metadata