mcp-manager
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill facilitates the execution of arbitrary shell commands through the 'add' command, which takes user-supplied 'command' and 'args' to configure new MCP servers. These values are passed to a local CLI tool ('python3 -m mcp-manager.cli') which updates the system configuration. Without strict sanitization, this pattern is highly vulnerable to command injection.
- [CREDENTIALS_UNSAFE] (HIGH): The skill is explicitly designed to manage environment variables that contain secrets, such as 'DATABASE_URL', 'tokens', and 'passwords'. It interacts directly with '~/.amplihack/.claude/settings.json', a known location for sensitive application configuration and credentials.
- [DATA_EXFILTRATION] (MEDIUM): The 'export' command allows users to save the entire MCP configuration to an arbitrary file path. This provides a mechanism to exfiltrate all configured secrets and environment variables to insecure or attacker-controlled locations.
- [INDIRECT_PROMPT_INJECTION] (LOW): The 'import' command processes external JSON files, creating an attack surface where malicious configuration data could influence the agent's behavior. (1) Ingestion points: 'import '. (2) Boundary markers: Absent in the skill definition. (3) Capability inventory: Subprocess execution via python3, modification of settings.json. (4) Sanitization: The skill mentions redacting sensitive information in responses but provides no technical details on input validation or sanitization of the imported configuration values.
Recommendations
- AI detected serious security threats
Audit Metadata