Skills
skills/zrong/skills/mcp-deploy/Gen Agent Trust Hub

mcp-deploy

Fail

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Fetches and executes an installation script for the 'uv' tool from Astral's official domain.
  • Evidence: curl -LsSf https://astral.sh/uv/install.sh | sh in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: Directs the user or agent to download binary releases from Gitea's public release page.
  • Evidence: https://gitea.com/gitea/gitea-mcp/releases in SKILL.md.
  • [COMMAND_EXECUTION]: Performs privileged system-level operations, including moving external binaries to system-wide binary paths and granting execution permissions.
  • Evidence: cp gitea-mcp /usr/local/bin/ in SKILL.md.
  • Evidence: chmod +x /usr/local/bin/gitea-mcp in SKILL.md.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting user-provided configuration strings into shell commands without explicit sanitization.
  • Ingestion points: User-provided API keys, URLs, and tokens are collected and interpolated into mcporter commands and .env files.
  • Boundary markers: No delimiters or instructions to ignore embedded commands are present in the interpolation logic.
  • Capability inventory: Includes file system write access (cat >), permission modification (chmod), and arbitrary command execution (mcporter, sh).
  • Sanitization: There is no evidence of input validation or shell-escaping for the user-provided data before it is executed or written to files.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 3, 2026, 11:13 PM