mcp-cli
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation (SKILL.md, references/testing-flow.md) provides a command to install dependencies by piping a remote shell script from an untrusted GitHub account directly into the bash interpreter:
curl -fsSL https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh | bash. This allows for unverified arbitrary code execution on the host system. - [COMMAND_EXECUTION]: The skill facilitates and encourages the execution of terminal commands for MCP server validation, including complex shell chaining operations.
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes code from a third-party GitHub repository (
philschmid/mcp-cli) that is neither a trusted vendor nor the skill author. - [PROMPT_INJECTION]: The skill demonstrates a vulnerability to indirect prompt injection or command hijacking by suggesting that tool outputs be piped into other commands (e.g., using
xargs) without any sanitization or boundary markers. Ingestion point:mcp-cli calloutputs inreferences/output-debugging-and-chaining.md. Boundary markers: None present. Capability inventory:mcp-cli call,xargs, shell evaluation. Sanitization: No sanitization or escaping of tool outputs is documented before they are passed to subsequent shell commands.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata