using-heavy-mcps
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The core purpose of the skill is to ingest data from external attacker-controllable or untrusted sources (like Sanity CMS or Brain Vaults) and feed it into the agent's context.
- Ingestion points: Data enters the context via the output of
mcporter call(e.g.,Sanity Developer.query_documents). - Boundary markers: Absent. The documentation suggests pasting results or embedding them in rules without using delimiters or instructions to the model to ignore embedded commands.
- Capability inventory: The skill leverages
mcporter, which can execute any tool available on connected MCP servers, including those with write access or network capabilities. - Sanitization: Absent. While
jqfilters fields, it does not sanitize the string content within those fields for malicious instructions. - [External Downloads] (HIGH): Multiple examples use
bunx mcporter, which dynamically downloads and executes code from the npm registry. Themcporterpackage and its author (steipete) are not within the defined [TRUST-SCOPE-RULE], making runtime execution of this dependency a significant risk. - [Command Execution] (MEDIUM): The skill promotes the use of
node -eto process JSON output. Piping untrusted data from external MCPs into a Node.js evaluation context increases the risk of command injection or exploitation if the data is specifically crafted to escape JSON parsing.
Recommendations
- AI detected serious security threats
Audit Metadata