mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains Python scripts (
scripts/evaluation.pyandscripts/connections.py) that facilitate the execution of arbitrary local commands. This functionality is intended to allow the developer to launch and test MCP servers via thestdiotransport, but it allows for the execution of any system command provided as an argument to the scripts. - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile contains instructions for the AI agent to fetch documentation and protocol specifications from external URLs, specificallymodelcontextprotocol.ioand GitHub repositories associated with the Model Context Protocol. These are well-known technology domains and are used to gather necessary technical context for the development task. - [PROMPT_INJECTION]: The evaluation harness in
scripts/evaluation.pyis vulnerable to indirect prompt injection. - Ingestion points: The script reads and parses task questions from an external XML file (e.g.,
evaluation.xmlorscripts/example_evaluation.xml). - Boundary markers: The agent loop utilizes a system prompt (
EVALUATION_PROMPT), but the questions parsed from the XML are interpolated directly into the message chain without specific delimiters or instructions to ignore embedded commands. - Capability inventory: The agent configured in
scripts/evaluation.pyhas the capability to call any tool exposed by the connected MCP server, which could include file system access, network requests, or further command execution depending on the server's implementation. - Sanitization: There is no evidence of sanitization or escaping of the input questions retrieved from the XML before they are processed by the LLM.
Audit Metadata