mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill instructs the agent to fetch and process arbitrary external API documentation (Phase 1.4) and explore live data (Phase 4.2). This untrusted data is processed while the agent has the capability to write implementation code and execute build/test commands (Phase 3.2).
- Ingestion points: WebFetch of arbitrary API documentation and external resource exploration.
- Boundary markers: Absent; no instructions provided to treat external content as untrusted or to use delimiters.
- Capability inventory: File system access for project setup,
npm run build,python -m py_compile, andnpx @modelcontextprotocol/inspectorfor code execution. - Sanitization: Absent; the agent is expected to directly translate external documentation into implementation logic without validation.
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill guides the agent to fetch README files from external GitHub repositories (
modelcontextprotocol/typescript-sdk,modelcontextprotocol/python-sdk) and run the@modelcontextprotocol/inspectortool vianpx. While these are community-standard for MCP, they represent unpinned, runtime dependencies from external sources. - Command Execution (MEDIUM): Phase 3.2 explicitly requires the agent to execute shell commands (
npm run build,npx @modelcontextprotocol/inspector,python -m py_compile) to verify generated code, which could be exploited if the code generation was influenced by malicious input.
Recommendations
- AI detected serious security threats
Audit Metadata