integrate-mcp
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the installation and execution of third-party code from arbitrary URLs provided by the user. It automates command-line operations such as
npm install,pip install, andgit clonebased on content parsed from these external, untrusted sources.\n- [COMMAND_EXECUTION]: The instructions guide the agent to perform multiple shell operations, including package management, repository cloning, and testing MCP tools with live data.\n- [DATA_EXFILTRATION]: The skill creates a path for potential credential exposure by prompting users to enter sensitive environment variables (such as API keys) directly into the chat interface. These secrets are then written to a.envfile, while the skill maintains network capabilities throughweb_fetchand telemetry calls.\n- [PROMPT_INJECTION]: The skill contains a significant surface for indirect prompt injection (Category 8). It fetches and analyzes content from external, attacker-controlled websites to determine configuration and installation steps without implementing boundary markers or content sanitization.\n - Ingestion points:
web_fetchis used on user-supplied URLs withinSKILL.mdto retrieve READMEs and marketplace pages.\n - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the processing logic.\n
- Capability inventory: The skill has the capability to write to configuration files (
.mcp.json,.env,CLAUDE.md) and execute shell commands via npm, pip, and git.\n - Sanitization: There is no evidence of validation or sanitization applied to the fetched external content before it is parsed for instructions.
Audit Metadata