mcp-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to execute arbitrary shell commands defined in
.mcp.json. TheMCPClientManager.connectToServermethod inmcp-client.tsusesStdioClientTransportto spawn subprocesses based on user-provided configuration (command and args). - [EXTERNAL_DOWNLOADS] (HIGH): The documentation and example configurations (
README.md,references/configuration.md) encourage usingnpx -yto download and execute remote packages from NPM at runtime. This bypasses version pinning and integrity checks. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8). It explicitly facilitates reading data from external sources (e.g.,
brave-search,fetch,puppeteer) and feeding it to the LLM. There are no evident sanitization or boundary marking mechanisms to prevent malicious instructions embedded in web pages or search results from hijacking the agent. - [CREDENTIALS_UNSAFE] (HIGH): The skill manages sensitive credentials (API keys) via environment variables and configuration files (
.mcp.json). While it supports environment variable substitution, the recommendation to symlink the configuration to a common location (.gemini/settings.json) increases the exposure surface of these secrets. - [DATA_EXFILTRATION] (MEDIUM): A combination of the
filesystemormemorytools with thefetchorsearchtools provides a direct path for exfiltrating sensitive local data to external endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata