mcp-builder
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The file
scripts/connections.pycontains theMCPConnectionStdioclass which wrapsmcp.client.stdio.stdio_client. This class accepts an unvalidatedcommandstring andargslist to spawn a subprocess. In an agentic context, if the agent is manipulated into passing a malicious string to this connection factory, it results in arbitrary command execution on the host system. - EXTERNAL_DOWNLOADS (MEDIUM):
SKILL.mdinstructs the agent to fetch documentation and README files from external URLs, specificallyhttps://modelcontextprotocol.io/sitemap.xmland variousraw.githubusercontent.compaths. While these point to official protocol repositories, the ingestion of external content that subsequently guides code generation and execution creates a significant attack surface. - REMOTE_CODE_EXECUTION (HIGH): The combination of Phase 2 ('Implementation') and Phase 3 ('Build and Test') in
SKILL.mdencourages the agent to generate code, build it (e.g.,npm run build), and then execute it using thestdiotransport. If the code generation phase is compromised via indirect prompt injection from the external documentation fetches, the execution phase provides a direct path to RCE. - INDIRECT_PROMPT_INJECTION (LOW): As required by the security framework:
- Ingestion points:
SKILL.md(WebFetch instructions for protocol docs),scripts/connections.py(processing tool outputs from external servers). - Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore instructions within fetched data.
- Capability inventory:
scripts/connections.pyfacilitates subprocess execution (stdio_client), and network requests (sse_client,streamablehttp_client). - Sanitization: Absent. There is no evidence of command sanitization or URL validation in
scripts/connections.py.
Recommendations
- AI detected serious security threats
Audit Metadata