unity-mcp
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains a setup script (
scripts/setup.sh) that programmatically modifies the local configuration files of various AI agents (Claude Code, Gemini CLI, and Codex CLI) located in the user's home directory. It usespython3 -ccommands to inject JSON and TOML configuration data into these files. - [EXTERNAL_DOWNLOADS]: The skill requires the user to install a Unity package from an external, non-trusted GitHub repository (
https://github.com/CoplayDev/unity-mcp.git). This repository is not associated with a well-known service or a trusted organization. - [PROMPT_INJECTION]: The
SKILL.mdfile includes explicit instructions to the AI agent to "automatically" execute setup steps when a user requests configuration. These steps involve the modification of the agent's own system settings and configuration files. - [DATA_EXFILTRATION]: The skill accesses sensitive application configuration files (
~/.claude/settings.json,~/.codex/config.toml,~/.gemini/settings.json). These files reside in the user's home directory and often contain persistent application state, user preferences, and potentially sensitive metadata related to the agent's operation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the Unity environment which is then processed by the agent with high-privilege capabilities.
- Ingestion points: The skill reads Unity console logs (
read_console) and searches through project files (find_in_file). - Boundary markers: There are no identified delimiters or instructions to prevent the agent from obeying commands embedded within the ingested logs or files.
- Capability inventory: The skill possesses significant capabilities, including the ability to write files, execute shell commands, create C# scripts, and perform batch operations in the Unity Editor.
- Sanitization: There is no evidence of sanitization or validation of the data ingested from the Unity environment before it is interpolated into the agent's context.
Audit Metadata