mcp-server-manager
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill provides instructions and generates commands for adding MCP servers (e.g.,
claude mcp add). While it usesshlex.quoteinscripts/scan_mcp_servers.pyto mitigate command injection when generating suggestions, the execution of these commands remains a deliberate action of the user/agent to fulfill the skill's purpose. - [DATA_EXFILTRATION] (LOW): The script
scripts/scan_mcp_servers.pyreads sensitive configuration files such as~/.claude.jsonand project-level.mcp.json. This is necessary for the discovery process, and no evidence was found of these contents being exfiltrated to an external network. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8). An attacker could place a malicious
.mcp.jsonfile in a project directory that, when scanned, causes the agent to suggest or execute unintended commands. - Ingestion points:
scripts/scan_mcp_servers.pyreads~/.claude.jsonand.mcp.jsonfiles found viaos.walk. - Boundary markers: None present in the script or prompt to distinguish between trusted and untrusted configuration data.
- Capability inventory: The skill facilitates
claude mcp addcommands which can download and execute arbitrary packages vianpxor local commands. - Sanitization: The script uses
shlex.quotefor shell safety but does not validate the integrity or source of the server configurations it discovers.
Audit Metadata