mcporter
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the 'mcporter' Node.js package from a public registry during setup. This is a vendor-provided tool corresponding to the skill's author.
- [COMMAND_EXECUTION]: The tool provides a '--stdio' flag that allows executing local scripts and commands (e.g., 'bun run ./server.ts'), which is a standard feature for stdio-based Model Context Protocol (MCP) transport but poses a risk if command strings are influenced by untrusted input.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests and processes data from external MCP servers and tools. Ingestion points: Data returned from external servers via 'mcporter call' (SKILL.md). Boundary markers: No explicit delimiters or 'ignore' instructions are provided in the skill documentation to isolate server output. Capability inventory: Includes the ability to execute subprocesses, make network requests, and manage authentication credentials. Sanitization: No evidence of output sanitization or validation of data from external servers.
Audit Metadata