mcp-cli
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill explicitly commands the agent to download and execute a shell script from a non-trusted repository using the 'curl | bash' pattern. This facilitates the execution of unverified remote code. Evidence:
curl -fsSL https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh | bashfound inSKILL.mdandreferences/testing-flow.md. - [COMMAND_EXECUTION]: The skill facilitates executing local development scripts via
bun, which could execute malicious code if the local environment is compromised. Evidence:bun run src/index.tsinSKILL.md. - [CREDENTIALS_UNSAFE]: Configuration examples in the skill's reference files contain hardcoded string literals for API keys and Authorization tokens. While used for demonstration, these suggest a practice of embedding secrets in plaintext configuration. Evidence:
"API_KEY": "test-key-123"and"Authorization": "Bearer token"inreferences/configuration-and-arguments.md. - [EXTERNAL_DOWNLOADS]: The skill performs downloads from external domains, specifically GitHub's raw content servers. Evidence:
https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it reads tool outputs from external MCP servers and pipes them into other commands without sanitization. Ingestion points: outputs from
mcp-cli callinreferences/output-debugging-and-chaining.md. Boundary markers: None. Capability inventory: subprocess calls, file reads, and shell piping. Sanitization: None.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata