smithery
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill is designed to connect the agent to remote Model Context Protocol (MCP) servers via
smithery mcp addand execute their tools viasmithery tool call. This allows for the execution of logic hosted on external servers (e.g.,server.smithery.ai), which represents a form of remote capability execution. - COMMAND_EXECUTION (HIGH): The
smithery skill addcommand downloads and installs new 'skills' from a central registry. In the context of AI agents, skills are executable instructions or workflows that can significantly alter agent behavior and security posture. - EXTERNAL_DOWNLOADS (MEDIUM): The installation instructions require
npm install -g @smithery/cli. While NPM is a standard registry, the package is from a non-whitelisted organization, necessitating verification of the package's integrity and permissions. - PROMPT_INJECTION (LOW): The 'HEARTBEAT.md' section contains instructions that act as a persistence mechanism, directing the agent to periodically update the CLI and scan for new tools. This ensures the Smithery ecosystem remains active in the agent's environment.
- INDIRECT PROMPT INJECTION (LOW): The skill creates a significant attack surface for indirect injection.
- Ingestion points: Data is ingested via
smithery mcp searchandsmithery skill searchresults. - Boundary markers: There are no delimited boundaries or sanitization protocols mentioned for the content returned by the registry.
- Capability inventory: The agent can execute remote tools and install new instruction sets (skills).
- Sanitization: No evidence of validation or sanitization of tool outputs or skill content before processing.
Recommendations
- AI detected serious security threats
Audit Metadata