Skills
skills/holon-run/uxc/goldrush-mcp-skill/Gen Agent Trust Hub

goldrush-mcp-skill

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses npx to execute the @covalenthq/goldrush-mcp-server package. This is the official and standard way to run an MCP server from Covalent.
  • [EXTERNAL_DOWNLOADS]: Downloads the official @covalenthq/goldrush-mcp-server package from the standard npm registry using npx.
  • [CREDENTIALS_UNSAFE]: Follows security best practices by instructing the user to manage the GOLDRUSH_API_KEY via uxc auth or environment variables rather than hardcoding. It uses a secret injection pattern {{secret}} which is a standard safe practice for this toolset.
  • [REMOTE_CODE_EXECUTION]: While it executes a remote package via npx, the package is from a well-known service (Covalent) and the execution method is the intended use case for Model Context Protocol (MCP) servers.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 03:14 AM