auditing-mcp-servers-for-tool-poisoning

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads and installs the uv package manager from astral.sh using a piped shell command. This is a standard installation procedure for a well-known technology provider.
  • [COMMAND_EXECUTION]: The Python script scripts/agent.py uses subprocess.run() to invoke auditing tools like mcp-scan. It also launches external MCP servers as subprocesses to facilitate programmatic enumeration of their tool schemas.
  • [REMOTE_CODE_EXECUTION]: The workflow utilizes uvx to dynamically fetch and execute the mcp-scan security scanner from Invariant Labs. This is a legitimate operation for the skill's primary purpose of security auditing.
  • [PROMPT_INJECTION]: While automated scans flagged 'PI_CONCEALMENT', this is a false positive. The skill documentation describes how attackers use concealment in tool poisoning, but it does not attempt to conceal its own actions from the user. The skill actually implements defensive regex patterns to detect and flag prompt injection attempts in third-party tool descriptions.
  • [DATA_EXFILTRATION]: The skill mentions sensitive file paths (like ~/.ssh/id_rsa) and network operations, but these are exclusively used as search patterns to detect malicious payloads in the servers being audited, rather than for accessing the user's local data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 03:40 AM
Security Audit — agent-trust-hub — auditing-mcp-servers-for-tool-poisoning