mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill directs the agent to ingest documentation and SDK information from external, untrusted sources which then guide code generation and command execution.
- Ingestion points: Multiple
WebFetchcalls tomodelcontextprotocol.ioandraw.githubusercontent.com/modelcontextprotocol/...defined inSKILL.md. - Boundary markers: Absent. The skill provides no instructions to the agent to distinguish between the developer's instructions and potentially malicious instructions embedded in the external documentation.
- Capability inventory: The skill involves writing server code and executing terminal commands (
npm run build,npx @modelcontextprotocol/inspector,python -m py_compile). - Sanitization: Absent. There is no validation of the external content before it is used to influence the agent's code generation and execution flow.
- External Downloads (MEDIUM): The skill mandates downloading content from the
modelcontextprotocolGitHub organization. - Evidence: Fetches READMEs from
raw.githubusercontent.com/modelcontextprotocol/typescript-sdkandpython-sdk. - Status: The
modelcontextprotocolorganization is not on the [TRUST-SCOPE-RULE] whitelist, making these untrusted external references. - Command Execution (MEDIUM): The skill instructs the agent to run potentially dangerous build and inspection tools.
- Evidence: Use of
npx @modelcontextprotocol/inspectorandnpm run buildin Phase 3. If thepackage.jsonor external SDKs are compromised via the documentation-led development process, these commands could lead to remote code execution.
Recommendations
- AI detected serious security threats
Audit Metadata