mcp-oauth
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill retrieves OAuth configuration (like authorization endpoints and scopes) from a user-specified URL and interpolates these values directly into shell commands for
curlandopen. A malicious server could return payloads containing shell metacharacters (e.g., semicolons or backticks) to execute arbitrary commands on the user's system. - DATA_EXFILTRATION (MEDIUM): OAuth authorization codes and state tokens are written to
/tmp/mcp_oauth_code.txtand/tmp/mcp_oauth_state.txt. On multi-user systems, the/tmpdirectory is often globally readable, creating a risk that secrets could be intercepted by other users or processes. - EXTERNAL_DOWNLOADS (LOW): The skill performs automated discovery of OAuth metadata from arbitrary user-provided URLs. This lack of host validation combined with the use of the returned data in execution steps makes the agent a vector for interacting with malicious infrastructure.
- PROMPT_INJECTION (LOW): [Indirect Prompt Injection] Ingestion: Remote MCP server metadata responses (Step 1 and 2); Boundary markers: None; Capability inventory: Subprocess execution via curl, open, and node; Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata