Trust Assessment
mcp-builder received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 2 critical, 2 high, 3 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Prompt Injection via Skill Documentation Instructions, Command Injection via StdioServerParameters.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Skill Documentation Instructions The `SKILL.md` file, which is treated as untrusted input, contains direct instructions for the host LLM to perform actions, such as 'Use WebFetch to load: `https://modelcontextprotocol.io/llms-full.txt`'. If the host LLM is susceptible to following instructions embedded within untrusted skill documentation, this constitutes a critical prompt injection vulnerability. An attacker could modify this documentation to instruct the LLM to perform arbitrary malicious actions, bypassing its intended purpose. The host LLM must be hardened against following instructions found within untrusted skill documentation. Skill documentation should be treated as descriptive content for human users or for tool parsing, not as direct commands for the LLM. Implement strict input sanitization and instruction filtering for all untrusted content. | LLM | SKILL.md:46 | |
| CRITICAL | Command Injection via StdioServerParameters The `MCPConnectionStdio` class in `scripts/connections.py` directly uses `StdioServerParameters(command=self.command, args=self.args, env=self.env)`. If the `command` or `args` parameters can be controlled by untrusted input (e.g., from an LLM's tool use call), an attacker can execute arbitrary shell commands on the host system. The `create_connection` factory function also passes these parameters directly, making it a clear path for command injection. Implement strict validation and sanitization for `command` and `args` parameters before passing them to `StdioServerParameters`. Ideally, avoid direct execution of arbitrary commands. If command execution is necessary, use a whitelist of allowed commands and arguments, and ensure all user-provided inputs are properly escaped or sandboxed. | Static | scripts/connections.py:90 | |
| HIGH | Data Exfiltration/SSRF via Arbitrary URLs and Headers The `MCPConnectionSSE` and `MCPConnectionHTTP` classes in `scripts/connections.py` allow arbitrary `url` and `headers` to be provided. If an LLM, potentially influenced by prompt injection, can control these parameters when calling a tool that uses these connection types, it could be used to perform Server-Side Request Forgery (SSRF) to access internal network resources or exfiltrate sensitive data to external malicious URLs. The `create_connection` factory function also directly passes these parameters. Implement strict validation for URLs, ensuring they point only to allowed domains or internal services. Sanitize or filter headers to prevent injection of sensitive information or malicious directives. Consider whitelisting allowed URLs and header keys. | Static | scripts/connections.py:98 | |
| HIGH | Arbitrary Tool Execution by LLM The `agent_loop` function in `scripts/evaluation.py` directly executes tools based on the LLM's `tool_use` block: `tool_result = await connection.call_tool(tool_name, tool_input)`. This means the LLM can choose any available tool and provide arbitrary arguments. Combined with the command injection vulnerability in `connections.py`, a malicious LLM prompt could lead to arbitrary command execution or data exfiltration. Implement a robust tool access control mechanism. Tools that perform sensitive operations (like command execution or network requests to arbitrary URLs) should require explicit human confirmation or be restricted to a highly trusted context. Validate `tool_name` and `tool_input` against expected patterns and permissions before execution. | LLM | scripts/evaluation.py:105 | |
| MEDIUM | Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | mcp-builder/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | mcp-builder/scripts/requirements.txt:2 | |
| MEDIUM | Information Leakage via Stack Traces The `agent_loop` function in `scripts/evaluation.py` catches exceptions during tool execution and includes the full traceback in the `tool_response`: `tool_response += traceback.format_exc()`. This can leak sensitive internal information about the system, file paths, and code structure if an attacker can trigger an error during tool execution. Avoid exposing raw stack traces to the LLM or any external interface. Instead, log the full traceback internally for debugging purposes and return a generic, user-friendly error message to the LLM. Ensure error messages do not reveal sensitive system details. | Static | scripts/evaluation.py:109 | |
| LOW | Unpinned Dependencies in requirements.txt The `scripts/requirements.txt` file specifies `anthropic>=0.39.0` and `mcp>=1.1.0`. While a minimum version is specified, the lack of a pinned exact version (`==`) can lead to supply chain risks. Future versions of these packages might introduce breaking changes, vulnerabilities, or unexpected behavior. This is particularly relevant for `mcp` which is directly involved in the connection logic. Pin all dependencies to exact versions (e.g., `anthropic==0.39.0`, `mcp==1.1.0`) to ensure reproducible builds and prevent unexpected updates. Use a lock file (e.g., `pip freeze > requirements.lock`) to manage transitive dependencies. | Static | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/6e605ec1219604ed)
Powered by SkillShield