create-tool
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Remote Code Execution] (HIGH): The skill instructs users to run a remote MCP server using the command
npx -y mcp-remote https://docs.vapi.ai/_mcp/server. This pattern executes code directly from an external URL that is not included in the pre-approved list of trusted sources. - [External Downloads] (MEDIUM): The skill references several external libraries, including
@vapi-ai/server-sdk,express,flask, andmcp-remote, without specifying versions. This lack of version pinning increases the risk of dependency confusion or the inadvertent installation of compromised package versions. - [Indirect Prompt Injection] (LOW): The tools created by this skill are designed to ingest and process data from external sources (e.g., weather services, order databases) and pass that data back to the AI assistant. This architecture creates a surface for indirect prompt injection if the source data is controlled by an attacker.
- Ingestion points: Data enters the assistant context via the
toolCallList[].argumentsand tool results in the server implementation examples. - Boundary markers: No explicit markers or delimiters are used in the provided code snippets to separate external data from system instructions.
- Capability inventory: The assistant has the capability to make API requests, transfer calls, and navigate IVRs via the Vapi API.
- Sanitization: No sanitization or validation logic is demonstrated in the implementation guides to filter or escape external content.
Recommendations
- AI detected serious security threats
Audit Metadata