mcp-builder
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The 'MCPConnectionStdio' class in 'scripts/connections.py' and 'mcp-builder/scripts/connections.py' uses 'stdio_client' to spawn subprocesses for running MCP servers. While this is the intended functionality of the protocol, it provides a direct path for arbitrary command execution if an attacker can influence the command or arguments passed to the connection factory.
- EXTERNAL_DOWNLOADS (LOW): The 'MCPConnectionSSE' and 'MCPConnectionHTTP' implementations in 'scripts/connections.py' allow the agent to establish network connections to arbitrary URLs. This capability could be abused for Server-Side Request Forgery (SSRF) or to exfiltrate data.
- PROMPT_INJECTION (LOW): The skill possesses a surface for Indirect Prompt Injection through its tool discovery process.
- Ingestion points: The 'list_tools' method in 'scripts/connections.py' ingests tool names, descriptions, and schemas from external MCP servers.
- Boundary markers: Absent. There are no delimiters or instructions to the agent to disregard instructions embedded within the tool metadata.
- Capability inventory: Subprocess execution ('stdio_client') and network communication (SSE/HTTP clients) defined in 'scripts/connections.py'.
- Sanitization: Absent. The skill does not sanitize or validate the metadata returned by external servers before it is processed by the agent.
Audit Metadata