mcp-builder
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/evaluation.pyscript andscripts/connections.pymodule provide the capability to launch local MCP servers as subprocesses using thestdiotransport. This behavior is triggered by user-supplied command-line arguments and is essential for testing locally developed servers. - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile and implementation guides recommend fetching the latest protocol specifications and SDK README files frommodelcontextprotocol.ioand its official GitHub repository. These sources are official and well-known within the technical domain of the skill. - [PROMPT_INJECTION]: The evaluation harness in
scripts/evaluation.pyis susceptible to indirect prompt injection because it processes tool outputs and external XML-based questions. A malicious tool output or evaluation task could theoretically contain instructions intended to override the evaluator agent's behavior. (1) Ingestion points: Untrusted data enters the agent context through the evaluation XML file and tool responses returned by theconnection.call_toolmethod inscripts/evaluation.py. (2) Boundary markers: There are no explicit boundary markers or 'ignore embedded instructions' warnings used when tool outputs are appended to the agent's message history. (3) Capability inventory: The script can execute any tool available on the connected MCP server, which typically includes data retrieval and, depending on the server, potentially destructive operations. (4) Sanitization: The script does not sanitize or escape tool outputs before they are processed by the LLM.
Audit Metadata