mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an evaluation harness (
scripts/evaluation.py) that uses thestdiotransport to launch local MCP servers. This involves executing system commands and arguments provided by the user via CLI to spawn the server as a subprocess. This is an expected and documented feature for local MCP integration testing. - [PROMPT_INJECTION]: The evaluation loop in
scripts/evaluation.pyis vulnerable to indirect prompt injection, as the agent processes responses from external tools. - Ingestion points: Data enters the agent context from the evaluation XML file and from the outputs of the tools called on the MCP server being evaluated.
- Boundary markers: The
EVALUATION_PROMPTenforces structured output using XML tags but does not use specific delimiters to isolate tool outputs from the rest of the prompt, potentially allowing a tool to inject instructions into the conversation history. - Capability inventory: The agent can execute any tool exposed by the connected MCP server and interacts with the Anthropic API. If the server is run via
stdio, it has the privileges of the user running the script. - Sanitization: No sanitization or filtering is performed on tool outputs before they are interpolated into the message history for the LLM.
Audit Metadata