pica-mcp
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user/agent to run
@picahq/mcpvianpx. This package is downloaded from the public NPM registry at runtime. As the author organization (picahq) is not in the trusted list, this introduces a dependency on an external, unverifiable source. - [REMOTE_CODE_EXECUTION] (MEDIUM): The use of
npx @picahq/mcpwithin the MCP configuration and the Vercel AI SDK integration code results in the execution of third-party code as a local subprocess. While this is the intended primary purpose of the skill, it constitutes remote code execution from an untrusted source. - [DATA_EXFILTRATION] (MEDIUM): In the 'Integration pattern' and 'Working example' sections, the skill recommends spreading the entire
process.envobject into the environment variables passed to the MCP subprocess (env: { ...process.env ... }). This is a security anti-pattern that exposes all system environment variables—potentially including sensitive AWS keys, database credentials, or other API tokens—to the third-party@picahq/mcppackage. - [COMMAND_EXECUTION] (LOW): The skill provides a diagnostic command using
findand-exec sh -cto check for version mismatches innode_modules. While this is a shell command execution, it is presented as a developer utility for troubleshooting rather than an automated agent action. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill facilitates tool calling from a third-party MCP server.
- Ingestion points: Tool outputs from
@picahq/mcpare ingested into the AI agent's context viastreamText. - Boundary markers: None specified in the prompt integration code.
- Capability inventory: The agent can execute tool calls and process results via
npx. - Sanitization: No explicit sanitization of tool outputs is mentioned before they are processed by the LLM.
Audit Metadata