Skills
skills/orcaqubits/agentic-commerce-skills-plugins/mpp-client-fetch/Gen Agent Trust Hub

mpp-client-fetch

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill provides an interface for fetching data from external APIs via mppx.fetch(), which creates an attack surface for indirect prompt injection.
  • Ingestion points: Data enters the agent context through API responses from mppx.fetch() calls as described in SKILL.md.
  • Boundary markers: Absent; the documentation does not suggest using delimiters or specific instructions to help the agent distinguish between data and commands.
  • Capability inventory: The skill is configured with high-privilege tools including Bash, Write, Edit, and WebFetch as specified in the allowed-tools field of SKILL.md.
  • Sanitization: Absent; no methods for validating or sanitizing the content of external API responses are mentioned before the data is processed by the agent.
  • [EXTERNAL_DOWNLOADS]: The instructions direct the agent to fetch documentation and sample code from official sources including npmjs.com, github.com, and the protocol's website mpp.dev, all of which are relevant to the skill's primary function.
  • [COMMAND_EXECUTION]: The skill provides guidance on using the mppx CLI via npx for testing and implementation purposes.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 06:10 AM