kagi-session2api-mcp-server
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires downloading and installing the
kagi-session2api-mcppackage from the public Python Package Index (PyPI). - [COMMAND_EXECUTION]: Installation and execution involve shell commands such as
pip install kagi-session2api-mcpanduvx kagi-session2api-mcp. - [CREDENTIALS_UNSAFE]: The skill instructs users to manually extract and store Kagi session tokens in environment variables or configuration files. These tokens are highly sensitive credentials that provide full account access and are treated similarly to passwords.
- [PROMPT_INJECTION]: The skill is susceptible to 'Indirect Prompt Injection' because it fetches and summarizes content from arbitrary external URLs. This untrusted data enters the agent's context where it could potentially contain malicious instructions designed to manipulate the AI's behavior.
- Ingestion points: Search results (titles/snippets) and website content processed by the summarizer tool.
- Boundary markers: None specified in the instructions to separate untrusted web content from agent instructions.
- Capability inventory: The skill performs network operations and potentially subprocess calls to run the MCP server.
- Sanitization: No evidence of input validation or content sanitization is provided in the skill documentation.
Audit Metadata