mcp-tools
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes the
execute_terminal_commandtool, which allows the agent to run arbitrary shell commands within the IDE terminal. This provides a direct path for executing potentially malicious commands on the host machine. - [DATA_EXFILTRATION]: The skill provides instructions to access the
claude_desktop_config.jsonfile in a user-specific path (C:\Users\Chris\AppData\Roaming\Claude\claude_desktop_config.json). This file contains sensitive application configurations. Furthermore, tools likeget_all_open_file_textsandsearch_in_files_contentallow the extraction of sensitive information or source code from the project environment. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection:
- Ingestion points: The skill reads untrusted data from local project files (
get_file_text_by_path,get_open_in_editor_file_text) and terminal output (get_terminal_text). - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat external data as untrusted or to ignore instructions embedded within that data.
- Capability inventory: The skill includes high-impact capabilities such as terminal command execution (
execute_terminal_command), file modification (replace_file_text_by_path), and IDE action execution (execute_action_by_id). - Sanitization: The skill logic contains no evidence of sanitization or validation for content ingested from external sources before it is processed or used in subsequent operations.
Audit Metadata