search
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script reads sensitive credential data from local storage. It recursively searches the
~/.mcp-auth/directory for*_tokens.jsonfiles and extractsaccess_tokenvalues. This grants the skill access to potentially multiple service credentials stored in that directory. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto download and execute a package at runtime. It runsnpx -y mcp-remoteto initiate authentication, which involves fetching code from the NPM registry and executing it dynamically. - [COMMAND_EXECUTION]: The script executes several shell commands, including
find,jq,base64, andcurl, to perform its authentication and search tasks. This is part of its core functionality but involves multiple subprocess calls. - [DATA_EXFILTRATION]: The skill transmits retrieved authentication tokens to external Tavily endpoints (
mcp.tavily.comandapi.tavily.com) to facilitate the search request. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through search results.
- Ingestion points: The skill fetches web content and snippets from the Tavily API (scripts/search.sh).
- Boundary markers: None identified; search results are directly outputted without delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill has network access via
curland can execute remote code vianpxduring authentication. - Sanitization: There is no evidence of content sanitization or filtering to prevent malicious instructions in the search data from influencing the agent's next steps.
Audit Metadata