skills/mukul975/anthropic-cybersecurity-skills/auditing-mcp-servers-for-tool-poisoning/Gen Agent Trust Hub
auditing-mcp-servers-for-tool-poisoning
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the
uvpackage manager fromastral.shusing a piped shell command. This is a standard installation procedure for a well-known technology provider. - [COMMAND_EXECUTION]: The Python script
scripts/agent.pyusessubprocess.run()to invoke auditing tools likemcp-scan. It also launches external MCP servers as subprocesses to facilitate programmatic enumeration of their tool schemas. - [REMOTE_CODE_EXECUTION]: The workflow utilizes
uvxto dynamically fetch and execute themcp-scansecurity scanner from Invariant Labs. This is a legitimate operation for the skill's primary purpose of security auditing. - [PROMPT_INJECTION]: While automated scans flagged 'PI_CONCEALMENT', this is a false positive. The skill documentation describes how attackers use concealment in tool poisoning, but it does not attempt to conceal its own actions from the user. The skill actually implements defensive regex patterns to detect and flag prompt injection attempts in third-party tool descriptions.
- [DATA_EXFILTRATION]: The skill mentions sensitive file paths (like
~/.ssh/id_rsa) and network operations, but these are exclusively used as search patterns to detect malicious payloads in the servers being audited, rather than for accessing the user's local data.
Audit Metadata