mcp-builder
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes
scripts/evaluation.pyandscripts/connections.pywhich utilize themcplibrary'sstdio_clientto execute arbitrary shell commands. This functionality is intended to launch and manage MCP server processes during testing, using commands and arguments provided via CLI flags (-cand-a). - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile instructs the agent to fetch documentation and SDK references from external sources includingmodelcontextprotocol.ioand themodelcontextprotocolGitHub organization. These are official repositories for the protocol and are considered trusted sources for this use case. - [PROMPT_INJECTION]: The evaluation harness in
scripts/evaluation.pyis vulnerable to indirect prompt injection (Category 8). - Ingestion points: Test questions are ingested from user-provided XML files (e.g.,
evaluation.xml). - Boundary markers: The ingested question is passed directly to the LLM as a user message without delimiters or protective instructions.
- Capability inventory: The agent in the evaluation loop has access to all tools exposed by the MCP server under test, which could include file system access or network operations depending on the server's implementation.
- Sanitization: There is no evidence of sanitization or filtering of the question content before it is processed by the model.
Audit Metadata