agent-auth-mcp
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The configuration instructions for Cursor and Claude Desktop suggest using
npx @auth/agent-clito start the MCP server. This command fetches the package from the npm registry at runtime. - [REMOTE_CODE_EXECUTION]: By recommending
npx, the skill triggers the execution of remote code. The package@auth/agent-cliis not pinned to a specific version, and it originates from a source that is not explicitly linked to the skill's author ('better-auth') per the vendor naming patterns provided. - [COMMAND_EXECUTION]: The skill provides instructions for the user to execute shell commands such as
auth-agent mcpandauth-agent mcp --url https://api.example.comto manage the authentication environment. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection (Category 8) due to its interaction with untrusted external providers.
- Ingestion points: External data enters the agent context through the
list_capabilitiesanddescribe_capabilitytools, which fetch metadata and schemas from provider URLs. - Boundary markers: The instructions lack delimiters or explicit warnings to the agent to disregard instructions that might be embedded in the provider's metadata or capability descriptions.
- Capability inventory: The agent has access to powerful tools like
execute_capability, which can perform operations like 'deploy_app' or 'transfer_money' based on the provider's definition. - Sanitization: There is no mention of sanitizing or validating the input schemas or provider data before the agent uses them to generate tool calls.
Audit Metadata