smithery
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the user to install a global npm package (
@smithery/cli) from the public npm registry. Since the publisher is not within the Trusted Organizations list, this dependency is considered unverifiable. - COMMAND_EXECUTION (MEDIUM): The skill facilitates adding remote MCP servers (
smithery mcp add) and executing tools from those servers (smithery tool call). This represents a mechanism for executing code or logic defined by external, untrusted third parties. - Indirect Prompt Injection (LOW):
- Ingestion points: External content is ingested via
smithery mcp search,smithery skill search, andsmithery tool findresults. - Boundary markers: Absent. The skill does not define delimiters or warnings to prevent the agent from obeying instructions embedded in tool descriptions or skill prompts.
- Capability inventory: The agent can execute commands (
smithery tool call), install software (npm install), and add new capability modules (smithery skill add). - Sanitization: Absent. There is no evidence of filtering or validation of the content retrieved from the Smithery registry.
- Time-Delayed / Conditional Attacks (LOW): The 'Heartbeat' section implements a time-based trigger (weekly) that prompts the agent to perform maintenance tasks, including updating the CLI and discovering new tools. While primarily for utility, this ensures persistence of the skill's operations.
Audit Metadata