The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The MCPConnectionStdio class in scripts/connections.py is designed to launch MCP servers via shell commands.
Evidence: The create_connection factory function accepts command and args strings and passes them directly to mcp.client.stdio.stdio_client (via StdioServerParameters).
Risk: If an agent is instructed by a malicious user or untrusted external data to 'initialize a new MCP server' with a crafted command string (e.g., rm -rf / or a reverse shell), the skill will execute it with the agent's privileges.
PROMPT_INJECTION / INDIRECT INJECTION (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection.
Ingestion points: Parameters for the create_connection function, specifically command, args, and url in scripts/connections.py.
Boundary markers: None. The skill does not implement delimiters or instructions to ignore embedded commands in the data it processes.
Capability inventory: Execution of subprocesses via stdio transport and arbitrary HTTP/SSE network requests.
Sanitization: None. There is no validation or whitelisting of commands or URLs.
DATA_EXFILTRATION (MEDIUM): The MCPConnectionSSE and MCPConnectionHTTP classes allow the agent to connect to arbitrary URLs.
Evidence: sse_client(url=self.url) and streamablehttp_client(url=self.url) in scripts/connections.py.
Risk: An attacker can provide a URL to their own server. Once the connection is established, the agent may inadvertently send sensitive session data or tool outputs to the remote endpoint.
EXTERNAL_DOWNLOADS (LOW): The skill depends on external libraries.
Evidence: scripts/requirements.txt lists anthropic>=0.39.0 and mcp>=1.1.0.
Status: Both packages are from trusted sources (Anthropic), downgrading this specific finding to LOW/INFO per [TRUST-SCOPE-RULE].

mcp-builder