native-mcp

Warn

Audited by Socket on May 16, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

Purpose and capabilities are broadly coherent for an MCP client, and the core install guidance uses official sources. The main risk is not hidden malware but the intentional expansion of the agent trust boundary: arbitrary MCP servers, runtime package execution via npx/uvx, credential forwarding, default-enabled sampling, and global tool auto-injection make this a medium-high risk integration skill that should only be used with well-trusted servers.

Confidence: 84%Severity: 68%
Audit Metadata
Analyzed At
May 16, 2026, 01:48 PM
Package URL
pkg:socket/skills-sh/NousResearch%2Fhermes-agent%2Fnative-mcp%2F@c997a6ce3d2d8656ff384b5a6c4851a8d34a3d61
Security Audit — socket — native-mcp