mcp-specialist
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill instructions and prompts encourage the use of
npx -yto dynamically download and execute Node.js packages from the NPM registry. While this is the intended workflow for MCP provisioning, it allows an agent to execute code that has not been locally audited. - EXTERNAL_DOWNLOADS (MEDIUM): The skill promotes downloading and running container images via
docker pullanddocker run. This introduces a dependency on external container registries and the integrity of the images hosted there. - COMMAND_EXECUTION (MEDIUM): The agent is explicitly granted the
executetool, which it is instructed to use for system-level operations including package management, Docker orchestration, and protocol testing via piped shell commands. - PROMPT_INJECTION (LOW): (Category 8: Indirect Prompt Injection) The skill's workflow depends on reading an external catalog file (
mcp-catalog.context.md) to determine which servers to provision. - Ingestion points: The prompt
provision-server.prompt.mdinstructs the agent to read the catalog to match use cases. - Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the catalog data.
- Capability inventory: The agent has
execute,edit, andfetchcapabilities, which could be abused if the catalog contains malicious instructions. - Sanitization: No sanitization or validation logic is specified for the data ingested from the catalog before it is used to construct execution commands.
Audit Metadata