mcp_server_developer
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to execute the command
npx @hummbl/mcp-serverto install and run an external package. The origin of this package is not listed among the trusted vendors, and its source code is not provided for verification. - [COMMAND_EXECUTION]: The documentation contains multiple shell commands for initializing projects, installing dependencies, and configuring the environment, including
npm install @modelcontextprotocol/sdkandnpx tsc --init. - [DATA_EXFILTRATION]: The skill contains a 'Telemetry & Analytics' section that outlines how to implement event tracking and latency monitoring. It provides a TypeScript interface for logging usage data (event names, user IDs, latencies) and mentions sending this data to an analytics service in production mode.
- [INDIRECT_PROMPT_INJECTION]: The skill provides a template for an MCP server that processes user-provided text through tool calls (e.g., 'analyze-perspective').
- Ingestion points: Data enters through
request.params.argumentsin thetools/callhandler defined in the code examples. - Boundary markers: No specific delimiters or boundary markers are implemented in the provided code snippets to distinguish between instructions and data.
- Capability inventory: The implementation uses the
better-sqlite3library for database operations and supports stdio transport for communication with the Claude Desktop client. - Sanitization: While the 'Implementation Guidelines' mention input validation with Zod and sanitization, the provided code examples do not demonstrate these safety measures.
Audit Metadata