mcp-builder
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The evaluation utility (
scripts/evaluation.py) launches local MCP server processes using the standardmcplibrary'sstdio_clientto perform automated testing. - [EXTERNAL_DOWNLOADS]: The developer guide (
SKILL.md) recommends fetching protocol specifications and SDK documentation from official Model Context Protocol domains and GitHub repositories. - [DATA_EXFILTRATION]: The testing script (
scripts/evaluation.py) communicates with the Anthropic API to process questions and transmit tool invocation data during evaluations. - [PROMPT_INJECTION]: The evaluation harness (
scripts/evaluation.py) reads data from a user-supplied XML file to generate prompts for an LLM. - Ingestion points: Questions are ingested from an XML file provided by the user via the
eval_fileargument. - Boundary markers: The system prompt in
scripts/evaluation.pyemploys XML tags (<summary>,<feedback>,<response>) to structure the agent's output. - Capability inventory: The script is capable of executing tools exposed by the target MCP server and writing evaluation reports to the local file system.
- Sanitization: Content from the evaluation file is processed without explicit sanitization or filtering before being sent to the LLM.
Audit Metadata