mcp-servers
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via remote MCP server configurations and OpenAPI specifications.
- Ingestion points: Remote OpenAPI spec URLs and MCP server URLs provided in manifests (
SKILL.md,references/manifest-schema.md). - Boundary markers: The
SKILL.mdcontains explicit security warnings regarding remote specs, but no technical delimiters are enforced in the processing logic. - Capability inventory: Registered MCP servers provide tools that the agent can execute; the
scripts/tfy-api.shscript enables the registration of these servers which then grant the agent new tool capabilities. - Sanitization: Content from remote specs is parsed by the platform gateway but not sanitized for instruction-like patterns before being converted into agent tools.
- [EXTERNAL_DOWNLOADS]: The skill facilitates connections to remote MCP endpoints and fetches remote OpenAPI specifications at runtime for conversion into agent-accessible tools. It also references pinned container images from trusted registries like Amazon ECR and GHCR in
references/container-versions.md. - [COMMAND_EXECUTION]: The skill uses Bash to execute helper scripts (
scripts/tfy-api.sh,scripts/tfy-version.sh) for API communication and environment verification. It also leverages the TrueFoundry CLI (tfy) for applying resource manifests as described inreferences/cli-fallback.md.
Audit Metadata