mcp
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the
StdioClientTransportclass inscripts/mcp-client.tsto spawn local subprocesses. The commands and arguments used for these processes are read from a local configuration file (.claude/.mcp.json). While this is the core functionality of an MCP client, it creates an attack surface where a compromised configuration file could lead to arbitrary command execution. The severity is reduced to MEDIUM as this is the intended primary purpose of the skill. - [DATA_EXFILTRATION] (LOW): The Python implementation in
scripts/evaluation/connections.pyand the TypeScript client inscripts/mcp-client.tssupport SSE and HTTP transports. These allow the skill to establish outbound network connections to URLs specified in the configuration, which could be used to transmit data to external servers. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8) via external server metadata.
- Ingestion points: Metadata including tool names, descriptions, and prompt templates are fetched from connected MCP servers in
scripts/mcp-client.tsvia thegetAllTools,getAllPrompts, andgetAllResourcesmethods. - Boundary markers: Absent. There are no specific delimiters or instructions provided to the agent to disregard potentially malicious instructions embedded within the fetched server metadata.
- Capability inventory: The skill possesses significant capabilities, including local command execution via subprocesses (
connectToServer), tool invocation (callTool), and network access via HTTP/SSE transports. - Sanitization: Absent. The data retrieved from MCP servers is processed as JSON and incorporated directly into the agent's context without filtering or sanitization.
Audit Metadata