mcp-builder
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
evaluation.pyscript is designed to execute local commands provided via the-c/--commandand-a/--argsCLI flags. This is used to launch and test local MCP server implementations during development. The execution is managed through thestdiotransport using the officialmcplibrary. - [EXTERNAL_DOWNLOADS]: The skill guides the user to fetch documentation, sitemaps, and README files from official Model Context Protocol sources, including
modelcontextprotocol.ioand themodelcontextprotocolorganization on GitHub. These are well-known and trusted sources for this technology. - [INDIRECT_PROMPT_INJECTION]: The evaluation harness processes user-provided questions from XML files and passes them to an LLM alongside tool outputs. This represents an inherent attack surface for developer tools that process external data, though it is consistent with the tool's primary purpose as a test runner.
- [DYNAMIC_EXECUTION]: The
connections.pyscript dynamically creates process contexts forstdiocommunication based on user configuration. This is a standard requirement for interacting with local Model Context Protocol servers.
Audit Metadata