mcp-server-code-execution-mode
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's primary tool,
run_python, is designed to execute arbitrary Python code provided by the agent. This is a core functional requirement but constitutes a high-risk capability that could be abused if the agent's instructions are compromised. - [EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install code from
github.com/elusznik/mcp-server-code-execution-modeand pull container images fromghcr.io/elusznik/mcp-code-execution:latest. These sources originate from a third-party account and do not follow the naming conventions associated with the author 'Aradotso'. - [COMMAND_EXECUTION]: The installation and configuration documentation requires the execution of multiple shell commands on the host machine, including
pip install,uv pip install, andpodmanoperations, which modify the local environment and manage system-level services. - [DATA_EXFILTRATION]: The skill defines a 'bridge' that proxies access to external services such as GitHub, PostgreSQL, and local filesystems. This creates a potential path for data exfiltration if the agent is instructed to read sensitive data from one source and transmit it via a proxied tool to an external endpoint.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes data from untrusted external sources (e.g., GitHub issue content, database records, or local files) and provides the agent with powerful tools to act on that data without explicit sanitization or boundary markers.
- Ingestion points: Data enters the context via proxied MCP servers like
github,postgres, andfilesystem(referenced in SKILL.md). - Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are provided for data returned from tools.
- Capability inventory: The skill provides a general-purpose
run_pythontool which can execute logic and call other tools. - Sanitization: There is no evidence of sanitization for the outputs of external tools before they are processed by the agent's Python code.
Audit Metadata