mcp-setup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill facilitates the execution of arbitrary shell commands through the 'Custom MCP Server' section. It specifically constructs commands using user-provided input:
claude mcp add <server-name> -- <command> [args...]. This is an unvalidated execution sink. - REMOTE_CODE_EXECUTION (HIGH): The skill utilizes
npx -yto download and immediately execute packages from the npm registry. In the 'Custom' section, this pattern can be abused to download and run any malicious script or binary. - INDIRECT_PROMPT_INJECTION (HIGH): This skill has a high-risk attack surface (Category 8).
- Ingestion points: The skill explicitly prompts for server names, commands, arguments, and environment variables in the 'Custom' section.
- Boundary markers: No delimiters or warnings are used to prevent the agent from obeying instructions embedded in these inputs.
- Capability inventory: The skill uses
claude mcp add, which spawns subprocesses based on the provided command string. - Sanitization: There is no evidence of sanitization or escaping for the user-provided command strings.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill downloads several packages, including
exa-mcp-serverand@upstash/context7-mcp. While some packages are from recognized organizations, the skill lacks integrity verification (e.g., checksums) for these remote dependencies. - CREDENTIALS_UNSAFE (LOW): The skill requests sensitive information including
EXA_API_KEYand aGitHub Personal Access Token. While this is necessary for configuration, passing these as environment variables in a command-line utility can leak them to process monitoring tools or command history.
Recommendations
- AI detected serious security threats
Audit Metadata