Security Audit
dkyazzentwatwa/chatgpt-skills:mcp-builder
github.com/dkyazzentwatwa/chatgpt-skillsTrust Assessment
dkyazzentwatwa/chatgpt-skills:mcp-builder received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 3 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Arbitrary Command Execution via `stdio` Transport, Environment Variable Exfiltration via `stdio` Transport.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 24, 2026 (commit d4bad335). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via `stdio` Transport The `scripts/connections.py` module provides an `MCPConnectionStdio` class and a `create_connection` factory function that allows executing arbitrary shell commands. The `stdio_client` from the `mcp` library is used to spawn a subprocess with a user-provided `command`, `args`, and `env`. The `scripts/evaluation.py` harness uses this `create_connection` function, taking `command`, `args`, and `env` directly from command-line arguments. If an attacker can control these command-line arguments (e.g., through a malicious prompt to an orchestrating LLM or by directly invoking the script with malicious inputs), they can execute arbitrary code on the host system. 1. **Restrict `stdio` transport usage:** If `stdio` transport is necessary, ensure that the `command`, `args`, and `env` parameters are strictly validated and whitelisted. Do not allow arbitrary commands or arguments. 2. **Isolate execution environment:** Run the MCP server processes in a highly sandboxed and restricted environment (e.g., Docker containers with minimal privileges, gVisor, or similar). 3. **Least Privilege:** Ensure the process running the `evaluation.py` script and the spawned MCP servers has the absolute minimum necessary permissions. 4. **Agent Control:** If an LLM is orchestrating this, implement strict guardrails and input validation on any parameters that could influence the `command`, `args`, or `env` passed to `create_connection`. | LLM | scripts/connections.py:79 | |
| HIGH | Environment Variable Exfiltration via `stdio` Transport The `scripts/connections.py` module's `MCPConnectionStdio` class and `create_connection` function allow setting arbitrary environment variables for the spawned subprocess via the `env` parameter. An attacker exploiting the command injection vulnerability (SS-LLM-003) could use this to exfiltrate sensitive environment variables from the host system by running a command that reads these variables and sends them to an external, attacker-controlled service. 1. **Implement remediation for SS-LLM-003.** 2. **Sanitize/Whitelist Environment Variables:** If custom environment variables are required, strictly whitelist allowed variable names and their values. Do not allow arbitrary environment variable injection. 3. **Remove sensitive data from environment:** Avoid storing sensitive credentials or data directly in environment variables accessible to potentially untrusted processes. | LLM | scripts/connections.py:79 | |
| MEDIUM | Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | mcp-builder/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | mcp-builder/scripts/requirements.txt:2 | |
| MEDIUM | Broad Tool Access via `WebFetch` The `SKILL.md` document instructs the LLM to use `WebFetch` to retrieve external documentation from various URLs (e.g., `https://modelcontextprotocol.io/llms-full.txt`, `https://raw.githubusercontent.com/modelcontextprotocol/python-sdk/main/README.md`). While the provided URLs are legitimate documentation sources, the instruction "To gather comprehensive information, use web search and the WebFetch tool as needed" implies a broad permission for the LLM to use `WebFetch` on arbitrary URLs. This capability, if not properly sandboxed or restricted by the host environment, could be abused by a malicious prompt to fetch sensitive internal network resources or exfiltrate data to external sites. 1. **Implement URL Whitelisting:** Restrict the `WebFetch` tool to only access a predefined list of safe and necessary URLs or domains. 2. **Sandbox `WebFetch`:** Run `WebFetch` operations in an isolated environment with no access to internal networks or sensitive resources. 3. **Monitor `WebFetch` usage:** Log all `WebFetch` requests and their destinations to detect anomalous activity. | LLM | SKILL.md:76 | |
| LOW | Unpinned Dependencies in `requirements.txt` The `scripts/requirements.txt` file specifies dependencies using minimum version pinning (`>=`). While common, this practice can introduce supply chain risks if a new, vulnerable version of `anthropic` or `mcp` is released. Without exact version pinning, the build system might pull in a compromised or buggy version. Pin dependencies to exact versions (e.g., `anthropic==0.39.0`, `mcp==1.1.0`) to ensure deterministic builds and prevent unexpected updates that might introduce vulnerabilities. Use a dependency lock file (e.g., `pip freeze > requirements.lock`) for production deployments. | LLM | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/2fe636166332eb52)
Powered by SkillShield