manage-mcp
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill documentation provides examples for creating tools and resources that read from the local file system (e.g.,
package.json,README.md) and database tables (e.g.,users). These patterns describe how to expose internal system data to an AI agent, which is a key component of data exposure risks.\n- [PROMPT_INJECTION]: The skill includes templates for tools and resources that ingest external strings (such as filenames or paths) and pass them directly to file system operations without demonstrating path normalization or validation, creating a surface for indirect prompt injection.\n - Ingestion points: The
args.filenameparameter inreferences/resources.mdand thepathparameter inreferences/tools.mdserve as entry points for potentially untrusted data.\n - Boundary markers: The provided examples do not use delimiters or provide instructions to the agent to ignore embedded commands within the processed file content.\n
- Capability inventory: The skill uses
readFile(fromnode:fs/promises) for file access,useDrizzlefor database operations, and$fetchfor network requests across multiple reference files.\n - Sanitization: While the middleware guide in
references/middleware.mdmentions sanitization as a best practice, the specific implementation examples for tools and resources inreferences/resources.mdandreferences/tools.mdlack input validation or path sanitization logic.
Audit Metadata