mcp-pipeline-builder
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of external repository content. Malicious instructions embedded in a target repository's documentation or source code could influence the analysis and design phases, potentially leading to the generation of malicious code. \n
- Ingestion points: Phase 1 repository analysis in SKILL.md. \n
- Boundary markers: None identified during repository ingestion; the skill relies on user review. \n
- Capability inventory: Shell access (Bash), package installation (npm/pip), subprocess execution (Phase 5), and config modification (Phase 6). \n
- Sanitization: A mandatory human review gate in Phase 2 requires user approval before code generation.\n- [EXTERNAL_DOWNLOADS]: The skill downloads content from user-provided repository URLs during Phase 1 using git clone. In Phase 4, it performs npm install, which fetches third-party dependencies from the npm registry based on generated package.json files.\n- [REMOTE_CODE_EXECUTION]: Phase 5 involves launching the newly generated and compiled MCP server as a subprocess for evaluation. This constitutes execution of code generated from potentially untrusted external inputs.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute several high-impact commands, including repository cloning, package installation (npm install), and build processes (npm run build, python -m py_compile).\n- [DATA_EXFILTRATION]: Phase 6 modifies the user's global Claude configuration file (~/.claude.json) or local settings to register the new server. While this is the intended functionality, it involves programmatic modification of sensitive system configuration.
Audit Metadata