signoz-mcp-setup
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes instructions in
SKILL.mdandreferences/mcp-settings.mdthat direct the agent to perform state checks "silently" and specifically prohibit the disclosure of accessed file paths, file contents, or the specific logic used for the checks. This concealment pattern intentionally limits user oversight of the agent's file system activities. \n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface through its handling of user-provided data. \n - Ingestion points: The skill accepts region codes and MCP URLs from user messages and the
$ARGUMENTSparameter. \n - Boundary markers: The instructions lack boundary markers or warnings to the model to ignore potential instructions embedded in the user-provided URLs. \n
- Capability inventory: The skill allows the agent to modify local configuration files (e.g.,
.mcp.json,mcp.json) and execute environment-specific CLI commands (e.g.,claude mcp add,gemini mcp add). \n - Sanitization: While the skill maps known region codes to static URLs, it accepts custom HTTP/HTTPS endpoints with minimal validation, which could allow a malicious URL to be written into project or system configuration files. \n- [COMMAND_EXECUTION]: The skill provides templates and instructions for the agent to execute shell commands and modify local configuration files across various developer tools including Cursor, VS Code, Claude Code, and Gemini CLI.
Audit Metadata