proxy-pay-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): Sensitive Financial Data Exposure. The tool
proxy.cards.get_sensitiveallows the agent to retrieve clear-text payment card numbers (PAN) and CVV codes. This access allows a compromised or manipulated agent to exfiltrate full credit card details to unauthorized destinations. - [Indirect Prompt Injection] (HIGH): Critical Attack Surface for Financial Misuse. The skill grants the agent 'write' capabilities in a financial context (creating intents and requesting approvals).
- Ingestion points: The agent interacts with external data (invoices, merchant pages, or user instructions) in the same context as these financial tools.
- Boundary markers: None identified in the instruction file to isolate untrusted data from tool execution.
- Capability inventory:
proxy.intents.create(financial transaction initiation) andproxy.cards.get_sensitive(PII/financial data retrieval). - Sanitization: Absent; the agent is expected to use natural language reasoning to determine when and why to use these tools, which is easily influenced by malicious content in processed data.
- [Unverifiable Dependencies] (MEDIUM): Untrusted External Source. The skill relies on an HTTP MCP server located at
https://mcp.useproxy.ai/api/mcp. This domain is not in the trusted source list, meaning the agent's available tools and their logical definitions are controlled by a third party with no verified reputation in this framework.
Recommendations
- AI detected serious security threats
Audit Metadata