native-mcp
Warn
Audited by Socket on May 16, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
Purpose and capabilities are broadly coherent for an MCP client, and the core install guidance uses official sources. The main risk is not hidden malware but the intentional expansion of the agent trust boundary: arbitrary MCP servers, runtime package execution via npx/uvx, credential forwarding, default-enabled sampling, and global tool auto-injection make this a medium-high risk integration skill that should only be used with well-trusted servers.
Confidence: 84%Severity: 68%
Audit Metadata