protocol-implementation-framework
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the agent to fetch documentation and SDK READMEs from untrusted external sources including 'modelcontextprotocol.io' and 'raw.githubusercontent.com' (org: modelcontextprotocol). Neither is in the trusted organization/repository list.
- COMMAND_EXECUTION (MEDIUM): The 'scripts/connections.py' file includes the 'MCPConnectionStdio' class which wraps 'stdio_client'. This allows the agent to execute arbitrary local system commands provided as the 'command' argument. While necessary for local MCP server integration, it functions as a remote code execution primitive if the command string is influenced by malicious input.
- PROMPT_INJECTION (LOW): (Category 8
- Indirect Prompt Injection) The skill establishes an attack surface where untrusted data is ingested and processed by an agent with significant capabilities.
- Ingestion points: Web fetching documentation from 'modelcontextprotocol.io' and GitHub READMEs as specified in SKILL.md Phases 1.2 and 1.3.
- Boundary markers: Absent. There are no instructions to ignore embedded commands in the fetched documentation.
- Capability inventory: The agent is provided with 'scripts/connections.py' which can execute local commands (stdio) and initiate network connections (SSE/HTTP).
- Sanitization: Absent. The skill does not provide methods to sanitize or validate the content retrieved from external URLs before processing.
- DATA_EXFILTRATION (LOW): The 'MCPConnectionHTTP' and 'MCPConnectionSSE' classes in 'scripts/connections.py' enable the agent to send headers and data to external URLs. While intended for protocol compliance, these can be leveraged for data exfiltration if the agent is compromised via prompt injection.
Audit Metadata