The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the --mcp-stdio flag, which allows for the execution of arbitrary shell command strings (e.g., npx @modelcontextprotocol/server-filesystem /tmp). This provides a direct path for the agent to execute untrusted subprocesses.
[EXTERNAL_DOWNLOADS]: The documentation recommends running the tool directly from public registries using uvx mcp2cli and npx, which involves downloading and executing code from external repositories.
[CREDENTIALS_UNSAFE]: The tool features built-in support for reading sensitive data from environment variables and local files using the env: and file: prefixes (e.g., --auth-header "Authorization:Bearer env:API_TOKEN"). While intended for secure secrets management, this mechanism could be abused to expose sensitive host information if the agent is directed to use these prefixes with attacker-controlled endpoints.
[COMMAND_EXECUTION]: The bake install command persists executable wrapper scripts into the user's ~/.local/bin directory, which modifies the system's execution environment.
[REMOTE_CODE_EXECUTION]: The tool dynamically fetches and processes OpenAPI and GraphQL specifications from remote URLs to generate CLI commands at runtime. If these remote specifications are compromised, they could potentially influence the agent's behavior via indirect prompt injection or lead to malicious API calls.

mcp2cli-runtime-api-tooling