mcp-management
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external Model Context Protocol (MCP) servers as subprocesses using the
StdioClientTransportclass inscripts/mcp-client.ts. The commands and arguments used to spawn these processes are retrieved from a local configuration file (.claude/.mcp.json). This is the standard operational mode for MCP clients.\n- [EXTERNAL_DOWNLOADS]: Documentation and configuration guides (e.g.,references/configuration.md) provide examples that usenpxto download and run official MCP server packages like@modelcontextprotocol/server-memoryand@modelcontextprotocol/server-filesystem. These downloads target the official protocol ecosystem.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it ingests and processes data (such as tool outputs and capability descriptions) from external MCP servers.\n - Ingestion points: Data from external servers enters the agent's context through the
listTools,listPrompts, andcallToolmethods inscripts/mcp-client.ts.\n - Boundary markers: The skill does not implement explicit boundary markers or "ignore previous instruction" wrappers when passing data from MCP servers to the main agent.\n
- Capability inventory: The skill is capable of executing system commands and interacting with the filesystem via the MCP servers it manages, as implemented in
scripts/mcp-client.ts.\n - Sanitization: No explicit sanitization or filtering of content from external servers is performed before returning results to the agent.
Audit Metadata