mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exhibits a high-risk vulnerability surface by combining external data ingestion with command execution capabilities.
- Ingestion points: The agent is instructed in
SKILL.md(Phases 1.2, 1.3, 1.4) to fetch and read content frommodelcontextprotocol.io, GitHub, and user-provided API documentation. - Boundary markers: There are no instructions or mechanisms to sanitize or delimit this external content to prevent the agent from obeying embedded instructions.
- Capability inventory:
scripts/connections.pyimplements theMCPConnectionStdioclass, which usesmcp.client.stdio.stdio_clientto execute system commands with arbitrary arguments and environment variables. - Sanitization: No validation or restriction is placed on the commands or arguments passed to the stdio client.
- External Downloads (MEDIUM): The skill directs the agent to fetch resources from external domains including
modelcontextprotocol.ioandraw.githubusercontent.com/modelcontextprotocol. These sources are not included in the Trusted External Sources list, making the content unverifiable at runtime. - Command Execution (MEDIUM): The inclusion of
scripts/connections.pyprovides the agent with the ability to spawn subprocesses. While intended for local MCP server integration, this capability is dangerous if the agent's decision to execute a specific command is influenced by the untrusted data it is instructed to process.
Recommendations
- AI detected serious security threats
Audit Metadata