mcp-server-scaffolding
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute
npx create-mcp-server-pro, which downloads and runs a package directly from the NPM registry. This package is not authored by a recognized trusted organization or well-known service provided in the safety guidelines. - [EXTERNAL_DOWNLOADS]: The project generation process relies on fetching dependencies and boilerplate code from public registries without integrity verification or version pinning in the primary instruction. This exposes the environment to potential supply chain vulnerabilities if the third-party package is compromised.
Audit Metadata