mcp-cli
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill requires cloning and building a tool from 'https://github.com/f/mcptools.git'. This repository is not within the defined trust scope, posing a risk of supply chain compromise or malicious code execution during the build process.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill executes arbitrary commands at runtime via 'npx' and 'docker', downloading external packages from public registries without integrity verification.
- [CREDENTIALS_UNSAFE] (HIGH): The documentation explicitly instructs users to pass sensitive API keys, tokens, and passwords as command-line arguments (e.g., '--auth-user', '--auth-header', and environment variables). This practice exposes secrets to process listing tools and shell history.
- [COMMAND_EXECUTION] (HIGH): The 'mcp' tool acts as a shell wrapper that executes arbitrary strings as commands, enabling any server definition to perform unauthorized operations on the host.
- [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The skill ingests data from untrusted external 'MCP servers' (ingestion points: 'mcp tools', 'mcp call', 'mcp read-resource') with no boundary markers or sanitization. Because the skill has write/execute capabilities (file system access, command execution), this represents a high-severity vulnerability where a malicious server can take control of the agent.
Recommendations
- AI detected serious security threats
Audit Metadata