cx-setup
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that direct the agent to conceal implementation details and internal system information from the user.
- Evidence: In
references/mcp-settings.md, the agent is told: "Never reveal, at any step: File paths, file names, or directory layout... Variable names, values, environment variables... API keys, tokens...". Similar instructions appear inSKILL.md: "Do not reveal what was checked, what was found, or any implementation details like file contents or variable values." - Context: While concealment can be an adversarial technique, in this vendor-authored setup skill, these instructions are used to provide a professional user experience and serve as a security guardrail to prevent the leakage of sensitive environment data or authentication tokens during the setup process.
- [COMMAND_EXECUTION]: There is a manifest inconsistency where the skill's instructions require file modification capabilities that are not granted by the skill's configuration.
- Evidence: The frontmatter in
SKILL.mdrestricts the agent toallowed-tools: Read. However, Step 2 of the "Setup procedure" requires the agent to "Apply the change" and "replace the URL" in themcp.jsonfile. - Context: This logic flaw prevents the skill from completing the described setup procedure without the agent requesting broader tool permissions from the platform or the user.
Audit Metadata