mcporter
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
mcporterCLI which has the capability to execute local commands, specifically when using the--stdioflag to run MCP servers locally (e.g.,mcporter call --stdio "bun run ./server.ts"). - [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of the
mcporterpackage from the npm registry (Node.js). - [DATA_EXFILTRATION]: The skill documents the use of
mcporter authandmcporter config loginto manage credentials and authentication tokens for external MCP servers. It also supports calling full URLs, which involves network operations. - [PROMPT_INJECTION]: As a tool designed to ingest data from external MCP servers via
mcporter call, it possesses an indirect prompt injection surface. - Ingestion points: Tool outputs returned from HTTP or stdio MCP servers.
- Boundary markers: None explicitly defined in the provided instructions.
- Capability inventory: File system access (config management), network operations (HTTP servers, OAuth), and subprocess execution (stdio servers).
- Sanitization: The skill instructions do not specify sanitization for the data retrieved from external servers.
Audit Metadata