manage-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The 'File Operation' tool in
references/tools.mdis a direct implementation of an Arbitrary File Read vulnerability. It takes apathstring directly from the user input and passes it tonode:fs/promises'sreadFilewithout any validation, sanitization, or restriction to a specific directory. - [DATA_EXFILTRATION] (MEDIUM): The 'Dynamic File Resource' in
references/resources.mdis vulnerable to Path Traversal. It uses a template variable${args.filename}to construct a file path (docs/${args.filename}) without checking for directory traversal sequences like../, which would allow an attacker to read files outside thedocs/folder. - [COMMAND_EXECUTION] (LOW): The CORS Middleware example in
references/middleware.mduses a wildcard origin (Access-Control-Allow-Origin: '*'), which is a security anti-pattern for production environments as it allows any website to make requests to the MCP server. - [DATA_EXFILTRATION] (LOW): The 'Environment Config Resource' in
references/resources.mdexplicitly exposes server-side environment variables (process.env.API_URL) to the agent, which could leak internal configuration details. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface: The 'File Operation' tool (in
references/tools.md) and 'Dynamic File Resource' (inreferences/resources.md) ingest untrusted data from the local filesystem. If these files contain malicious instructions, the agent may obey them as they lack boundary markers or sanitization logic.
Recommendations
- AI detected serious security threats
Audit Metadata