cx-setup

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains instructions that direct the agent to conceal implementation details and internal system information from the user.
  • Evidence: In references/mcp-settings.md, the agent is told: "Never reveal, at any step: File paths, file names, or directory layout... Variable names, values, environment variables... API keys, tokens...". Similar instructions appear in SKILL.md: "Do not reveal what was checked, what was found, or any implementation details like file contents or variable values."
  • Context: While concealment can be an adversarial technique, in this vendor-authored setup skill, these instructions are used to provide a professional user experience and serve as a security guardrail to prevent the leakage of sensitive environment data or authentication tokens during the setup process.
  • [COMMAND_EXECUTION]: There is a manifest inconsistency where the skill's instructions require file modification capabilities that are not granted by the skill's configuration.
  • Evidence: The frontmatter in SKILL.md restricts the agent to allowed-tools: Read. However, Step 2 of the "Setup procedure" requires the agent to "Apply the change" and "replace the URL" in the mcp.json file.
  • Context: This logic flaw prevents the skill from completing the described setup procedure without the agent requesting broader tool permissions from the platform or the user.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 10:13 AM
Security Audit — agent-trust-hub — cx-setup