mcp-security

SUSPICIOUS: the skill is internally coherent as an MCP security testing methodology, but its purpose is explicitly offensive security enablement for AI agents. It has low supply-chain and exfiltration risk itself, yet high operational risk because it equips an agent to probe and potentially abuse MCP trust boundaries, hidden prompt channels, and token isolation.

This fragment is an explicit MCP attack blueprint focused on malicious tool-metadata prompt injection and supply-chain sabotage: it proposes poisoning tool `description`/`inputSchema`, evading review via Base64/Unicode/ANSI steganography and renderer tricks, performing rug-pulls via post-authorization tool mutations, hijacking trusted actions via shadow tools/name collisions, and attempting cross-server OAuth/token leakage followed by attacker-controlled exfiltration. Given the directness and specificity of the theft/exfiltration intent, it represents a very high security risk. Even though no dependency implementation is provided to audit, the content itself is unequivocally malicious in objective and technique.