mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The file
scripts/connections.pyimplements a client factory that usesmcp.client.stdio.stdio_clientto spawn local processes. This capability allows the agent to execute arbitrary local commands under the guise of running a local MCP server. While essential for the skill's purpose, it represents a high-risk capability. - [REMOTE_CODE_EXECUTION] (MEDIUM): The
SKILL.mdinstructions guide the agent to usenpx @modelcontextprotocol/inspectorfor testing. This command downloads and executes code from the npm registry. Since themodelcontextprotocolorganization is not on the predefined trusted list, this is flagged as a dynamic execution of remote code. - [PROMPT_INJECTION] (LOW): (Category 8
- Indirect Prompt Injection) The skill directs the agent to fetch external documentation from
modelcontextprotocol.ioand GitHub viaWebFetch. - Ingestion points: Instructions in
SKILL.mdto fetch READMEs and specification markdown files from remote URLs. - Boundary markers: None provided in the instructions for handling the fetched content.
- Capability inventory: The skill includes Python scripts (
scripts/connections.py) capable of local command execution (stdio) and network requests (SSE/HTTP). - Sanitization: There is no logic provided to sanitize or validate the content retrieved from external sources before processing.
Audit Metadata