Skills
skills/yigitkonur/skill-mcp-server-tester/mcp-server-tester/Gen Agent Trust Hub

mcp-server-tester

Warn

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructions in references/llm-test-guide.md and references/providers.md explicitly guide the agent to ask the user for sensitive LLM API keys (e.g., OpenAI, Anthropic, OpenRouter) and save them to a .env file in the project root. Storing credentials in plaintext files is an unsafe practice that risks exposure if the environment is shared or improperly secured.
  • [EXTERNAL_DOWNLOADS]: The skill relies on npx @mcp-use/inspector to provide its core functionality. This command downloads and executes a remote package from the npm registry at runtime. While @mcp-use/inspector is a specialized tool for MCP developers, dynamic execution of third-party packages represents an external dependency risk.
  • [COMMAND_EXECUTION]: The skill makes extensive use of system commands including curl, jq, kill, and lsof. It starts background processes and manages local network services. If the target MCP server URL or other inputs provided by a user are not properly handled, these commands could potentially be exploited.
  • [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8) because its primary function is to ingest and reason about data from external MCP servers. A malicious MCP server could provide crafted tool descriptions or schemas designed to influence the agent's behavior.
  • Ingestion points: Data enters the agent's context through discovery calls like tools/list, resources/list, and prompts/list in references/llm-test-guide.md and references/basic-test-guide.md.
  • Boundary markers: The skill does not implement boundary markers or instructions for the agent to ignore potentially malicious content within the tool schemas it processes.
  • Capability inventory: The agent has capabilities to execute shell commands, perform network operations via curl, and write to local files (.env).
  • Sanitization: No sanitization or validation logic is present to filter content retrieved from the target MCP server before it is used for test case generation and reasoning.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 03:33 PM