mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The file scripts/connections.py implements the MCPConnectionStdio class which uses mcp.client.stdio.stdio_client to execute arbitrary system commands. This provides the agent with a direct mechanism to spawn subprocesses with controllable commands, arguments, and environment variables on the host system.
- REMOTE_CODE_EXECUTION (HIGH): The skill presents a significant indirect prompt injection surface (Category 8). Evidence Chain: 1. Ingestion points: SKILL.md (lines 48, 61, 71) instructs the agent to fetch remote content via WebFetch to guide its development process. 2. Boundary markers: Absent; fetched content is treated as authoritative framework documentation. 3. Capability inventory: scripts/connections.py provides full subprocess execution via stdio transport. 4. Sanitization: Absent. An attacker who controls the remote documentation could provide malicious instructions that the agent then executes using its command-line capabilities.
- EXTERNAL_DOWNLOADS (MEDIUM): SKILL.md directs the agent to fetch resources from modelcontextprotocol.io and raw.githubusercontent.com/modelcontextprotocol. These sources are not on the list of Trusted External Sources, and fetching content that dictates agent logic from external sites is a security risk.
Recommendations
- AI detected serious security threats
Audit Metadata