mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to spawn local subprocesses as MCP servers using the
StdioClientTransportfrom the@modelcontextprotocol/sdk. The commands and arguments are loaded from a JSON configuration file (.claude/.mcp.json), which allows for arbitrary command execution on the host machine if the file is modified or contains malicious entries. - [PROMPT_INJECTION] (HIGH): The skill facilitates Indirect Prompt Injection (Category 8) by design.
- Ingestion points: Data enters the system via MCP tool results, resources, and prompts retrieved from external servers (e.g.,
brave-searchorpuppeteer). - Boundary markers: None identified in the script logic; untrusted external data is passed directly into the agent context.
- Capability inventory: The skill possesses high-impact capabilities including command execution (
child_process.spawnvia SDK) and local file writing (writeFileSyncincli.ts). - Sanitization: No mechanisms are present to sanitize, escape, or validate content returned by MCP tools before it is processed by the agent.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on several external Node.js dependencies and encourages the installation of third-party MCP servers via
npx. Although the core SDK is a known package, the use ofnpxto execute unverified remote code at runtime is a notable risk. The recommendation to usegemini-cli(from a trusted source) is recognized under [TRUST-SCOPE-RULE] but does not mitigate the skill's own operational risks.
Recommendations
- AI detected serious security threats
Audit Metadata