mcporter
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires installing the 'mcporter' npm package. This is a third-party dependency from a non-trusted repository, posing a supply chain risk.
- [COMMAND_EXECUTION] (MEDIUM): The tool explicitly supports running local commands via the '--stdio' flag, allowing the agent to spawn subprocesses which could be exploited for malicious purposes.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The 'generate-cli' and 'emit-ts' functionalities create new executable artifacts from remote definitions, potentially leading to the execution of untrusted logic.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes data from external MCP servers. Evidence Chain: (1) Ingestion points: MCP tool outputs from HTTP and stdio sources. (2) Boundary markers: Absent in the skill instructions. (3) Capability inventory: Subprocess spawning, file system access (config), and network operations. (4) Sanitization: No sanitization logic specified in the skill file.
Audit Metadata