create-mcp-integration
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by design. It processes untrusted user input to generate system-level configurations and executable scripts without defining security boundaries.
- Ingestion points: The
SKILL.mdinstructions prompt the agent to gather the MCP server name, execution command, and environment variables directly from user input. - Boundary markers: The instructions do not define any delimiters or provide warnings to the agent to ignore embedded instructions within the user-provided data.
- Capability inventory: The skill uses
BashandWritetools to modify theclaude.jsonconfiguration and create new script files on the host filesystem. - Sanitization: There are no instructions provided to the agent to validate, escape, or sanitize the user-provided commands or environment variables before writing them to persistent storage or configuration files.
- [COMMAND_EXECUTION]: The skill modifies the
claude.jsonconfiguration file to register new MCP servers. This results in the persistent execution of user-defined commands within the agent's environment across sessions, which could be exploited for persistence if malicious commands are injected via the scaffolding process. - [COMMAND_EXECUTION]: The
SKILL.md.jinjatemplate instructs the agent that it MUST execute a dynamically generated Python script (execute.py) for task implementation. This encourages the agent to rely on and execute unverified code generated at runtime based on templates.
Audit Metadata