The Agent Skills Directory

Command Execution (MEDIUM): The file 'scripts/connections.py' contains the 'MCPConnectionStdio' class, which facilitates the execution of arbitrary local commands through the MCP stdio transport layer. While this is a standard operational mode for local MCP servers, it represents a significant command execution surface that could be exploited if an agent is directed to run untrusted command strings.
Indirect Prompt Injection (LOW): The 'SKILL.md' document (Phases 1.2, 1.3, and 1.4) guides the agent to fetch and follow instructions from external sources such as 'modelcontextprotocol.io' and GitHub. This introduces a vulnerability surface where a compromised remote file could inject malicious instructions into the agent's context.
Ingestion points: Retrieval of the MCP specification and SDK READMEs from external URLs.
Boundary markers: Absent. The instructions do not define delimiters or provide warnings to ignore embedded instructions in the fetched data.
Capability inventory: The skill allows the agent to execute shell commands, write files, and install software packages.
Sanitization: Absent. Content fetched from the internet is processed without validation or sanitization.
External Downloads (LOW): The skill fetches content from 'modelcontextprotocol.io' and repositories under the 'modelcontextprotocol' GitHub organization. As these sources are not included in the predefined trusted organization list, they are flagged for administrative review.

mcp-builder