mcp-builder
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill provides a surface for indirect prompt injection by directing the agent to fetch and interpret documentation from external websites and GitHub. If these external sources were compromised, they could deliver malicious instructions to the agent. \n
- Ingestion points:
SKILL.md(e.g.,https://modelcontextprotocol.io/sitemap.xml,https://raw.githubusercontent.com/modelcontextprotocol/.../README.md). \n - Boundary markers: Absent. No instructions are provided to the agent to delimit or ignore instructions within the fetched content. \n
- Capability inventory:
scripts/connections.pyprovides tools for arbitrary command execution (stdio) and network communication (http,sse). \n - Sanitization: Absent. \n- [EXTERNAL_DOWNLOADS] (LOW): The skill instructions involve downloading and running external code and fetching remote data. \n
- Evidence:
SKILL.md(Phase 3.2) directs the use ofnpx @modelcontextprotocol/inspector, which executes remote code from the npm registry. \n - Evidence:
SKILL.md(Phase 1.3) directs the agent to fetch README files from themodelcontextprotocolGitHub organization. \n- [COMMAND_EXECUTION] (LOW): The skill includes Python code to facilitate MCP connections, which includes the ability to execute arbitrary local commands via thestdiotransport. \n - Evidence:
scripts/connections.pycontainsMCPConnectionStdio, which utilizesmcp.client.stdio.stdio_clientto launch subprocesses based on user-provided commands and arguments.
Audit Metadata