Skills
NYC
skills/ovachiever/droid-tings/MCP Integration/Gen Agent Trust Hub

MCP Integration

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): The file examples/stdio-server.json contains a configuration for the filesystem server that uses npx -y @modelcontextprotocol/server-filesystem. The -y flag forces the automatic download and execution of the package from the npm registry without user confirmation.
  • COMMAND_EXECUTION (HIGH): examples/stdio-server.json defines multiple tools that execute shell commands on the host system. This includes executing a JavaScript file via a variable path (${CLAUDE_PLUGIN_ROOT}/servers/db-server.js) and running a Python module (python -m my_mcp_server). These configurations allow the agent to launch arbitrary subprocesses defined in the JSON.
  • DATA_EXFILTRATION (LOW): The filesystem tool grants the agent read/write access to the local directory ${CLAUDE_PROJECT_DIR}. While this is the intended purpose of the Model Context Protocol filesystem server, it establishes a broad access surface for potentially sensitive local data.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:02 PM