Skills
skills/sfrangulov/skill-graveyard/mcp-graveyard/Gen Agent Trust Hub

mcp-graveyard

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses npx mcp-graveyard@latest to download and execute code from the npm registry at runtime.
  • [EXTERNAL_DOWNLOADS]: Fetches the author's CLI package from an external registry to perform its auditing functions.
  • [COMMAND_EXECUTION]: Executes several subcommands including audit, prune, and projects to inspect and modify local settings.
  • [PROMPT_INJECTION]:
  • Ingestion points: Reads session logs (~/.claude) and configuration (~/.claude.json) which contain past agent interactions.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded content within processed logs are provided.
  • Capability inventory: Can modify local configuration files (~/.claude.json) and run external tools via npx.
  • Sanitization: No sanitization process is mentioned for the ingested session data before it is used for decision-making.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 06:27 AM