mcp-cli
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.Popenincli.pyandmcp_call.pyto launch MCP servers as background processes. These commands are loaded from a local configuration file (~/.mcp-cli/servers.json) which can be populated with arbitrary shell commands via the--addargument, potentially leading to unauthorized command execution if the configuration is manipulated.\n- [CREDENTIALS_UNSAFE]: During setup, the tool reads sensitive files from the user's home directory, specifically~/.claude/settings.jsonand~/.claude.json. These files often contain private API keys, tokens, and other authentication data for AI services. The skill copies this information into its own configuration storage (~/.mcp-cli/), expanding the attack surface for credential theft.\n- [REMOTE_CODE_EXECUTION]: The skill's design facilitates the execution of external code by supporting and encouraging the use of package runners likenpxanduvxfor MCP servers. Documentation examples inREADME.mdandSKILL.mddemonstrate running unverified remote code directly from public registries, which is a high-risk practice.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability by ingesting data from external MCP servers (viastdioorHTTPtransports) and displaying it without sanitization or boundary markers. A malicious tool response could embed instructions that an AI agent might mistakenly follow. The skill's built-in capabilities, such as spawning subprocesses and making network requests usingurllib.request.urlopen, provide an exploitable inventory for such an attack.
Audit Metadata