Trust Assessment
mcp-builder received a trust score of 31/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 3 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via stdio transport 'command' and 'env' parameters The `scripts/connections.py` module, utilized by `scripts/evaluation.py`, facilitates arbitrary command execution when the `stdio` transport is selected. The `command`, `args`, and `env` parameters are passed directly to `stdio_client` (which typically invokes `subprocess.Popen` or similar). If an AI agent or user provides untrusted input for these parameters (e.g., via command-line arguments to `evaluation.py`), it can lead to arbitrary code execution on the host system. This presents a direct and severe risk. Implement strict validation and whitelisting for the `command`, `args`, and `env` parameters if they are derived from untrusted input. Consider sandboxing the execution environment for MCP servers run via `stdio` transport. Ensure that the AI agent is not prompted to generate or pass arbitrary commands to the evaluation harness. | Static | scripts/connections.py:87 | |
| HIGH | Server-Side Request Forgery (SSRF) and Data Exfiltration via sse/http transport 'url' and 'headers' The `scripts/connections.py` module, utilized by `scripts/evaluation.py`, allows making HTTP requests to arbitrary URLs with arbitrary headers when `sse` or `http` transports are selected. The `url` and `headers` parameters are passed directly to `sse_client` or `streamablehttp_client`. If an AI agent or user provides untrusted input for these parameters (e.g., via command-line arguments to `evaluation.py`), it can lead to Server-Side Request Forgery (SSRF), allowing access to internal network resources, or data exfiltration by sending sensitive information (e.g., environment variables, local file contents if the agent can read them) to an attacker-controlled server via custom headers or URL parameters. Implement strict URL validation (e.g., allowlisting domains, blocking private IP ranges) and sanitize or remove sensitive information from headers if they are derived from untrusted input. Restrict network access for processes handling untrusted URLs. Ensure the AI agent is not prompted to generate or pass arbitrary URLs or headers to the evaluation harness. | Static | scripts/connections.py:96 | |
| MEDIUM | Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/development/mcp-builder/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | cli-tool/components/skills/development/mcp-builder/scripts/requirements.txt:2 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/2c32368d1f49e4cd)
Powered by SkillShield