extract
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The script
scripts/extract.shsearches the user's home directory (~/.mcp-auth/) for credential files (*_tokens.json) to extract authentication tokens. While necessary for the skill's intended MCP integration, this involves broad access to sensitive credential storage.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The script usesnpx -y mcp-remoteto initiate an OAuth flow. This command downloads and executes themcp-remotepackage from the npm registry at runtime without a pinned version, creating a potential supply chain risk.\n- [PROMPT_INJECTION] (LOW): This skill is vulnerable to indirect prompt injection as it ingests untrusted content from external URLs. \n - Ingestion points: External URL content is fetched via the Tavily API in
scripts/extract.sh.\n - Boundary markers: Absent; the extracted content is returned without delimiters.\n
- Capability inventory: Execution of shell commands (curl, jq, npx) and background processes.\n
- Sanitization: None; the raw content from the API is passed back to the agent context.\n- [COMMAND_EXECUTION] (LOW): The script executes shell commands to perform API requests and process JSON data. It interpolates user-provided URL strings into its logic through
jqandcurl.
Audit Metadata