Security Audit

mcp-builder

github.com/guanyang/antigravity-skills

AI SkillCommit 3e75fabdb24c

CRITICAL

Scanned 6 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

mcp-builder received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 1 critical, 3 high, 2 medium, and 1 low severity. Key findings include Unpinned Python dependency version, Command Injection via `stdio` transport in evaluation script, Data Exfiltration/Credential Harvesting via `stdio` `env` parameter.

The analysis covered 4 layers: dependency_graph, static_code_analysis, llm_behavioral_safety, manifest_analysis. The static_code_analysis layer scored lowest at 23/100, indicating areas for improvement.

Last analyzed on February 15, 2026 (commit 3e75fabd). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

23%

Dependency Graph

86%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

4 findings

Dynamic Code

4 findings

Excessive Permissions

2 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Command Injection via `stdio` transport in evaluation script The `scripts/connections.py` module, used by `scripts/evaluation.py`, allows for arbitrary command execution when the `stdio` transport is selected. The `create_connection` function passes the `command` and `args` parameters directly to `asyncio.create_subprocess_exec` (via `mcp.client.stdio.stdio_client`). The `scripts/evaluation.py` script exposes these parameters directly as command-line arguments (`--command`, `--args`). If an AI agent is instructed to run `evaluation.py` and takes these arguments from untrusted user input or generates them based on malicious prompts, it can lead to arbitrary code execution on the host system. Sanitize or strictly validate the `command` and `args` parameters before passing them to `stdio_client`. Consider using a whitelist of allowed commands and arguments, or disallow arbitrary command execution for the `stdio` transport when processing untrusted input. For the evaluation script, ensure that any user-provided input for these parameters is thoroughly validated or that the script is only run in a trusted, isolated environment.	Unknown	scripts/connections.py:99
HIGH	Data Exfiltration/Credential Harvesting via `stdio` `env` parameter The `scripts/connections.py` module allows setting arbitrary environment variables for subprocesses when using the `stdio` transport. The `create_connection` function passes the `env` parameter directly to `asyncio.create_subprocess_exec` (via `mcp.client.stdio.stdio_client`). The `scripts/evaluation.py` script exposes this parameter directly as a command-line argument (`--env`). An attacker controlling this `env` parameter could inject malicious environment variables, potentially leading to data exfiltration (e.g., by setting `LD_PRELOAD` to a malicious library) or credential harvesting if sensitive information is passed through environment variables to an attacker-controlled `command`. Sanitize or strictly validate the `env` parameter. If environment variables must be passed, ensure they are explicitly whitelisted and do not contain sensitive information or allow for arbitrary code injection. For the evaluation script, ensure that any user-provided input for this parameter is thoroughly validated or that the script is only run in a trusted, isolated environment.	Unknown	scripts/connections.py:99
HIGH	Server-Side Request Forgery (SSRF) via `url` parameter in evaluation script The `scripts/connections.py` module allows making requests to arbitrary URLs when using `sse` or `http` transports. The `create_connection` function passes the `url` parameter directly to `sse_client` or `streamablehttp_client`. The `scripts/evaluation.py` script exposes this parameter directly as a command-line argument (`--url`). If an AI agent is instructed to run `evaluation.py` and takes this `url` from untrusted user input or generates it based on malicious prompts, it can be exploited for Server-Side Request Forgery (SSRF), allowing an attacker to scan internal networks, access internal services, or bypass firewall rules. Implement strict URL validation for the `url` parameter, disallowing internal IP addresses, private networks, and non-HTTP/HTTPS schemes. Consider whitelisting allowed domains. For the evaluation script, ensure that any user-provided input for this parameter is thoroughly validated or that the script is only run in a trusted, isolated environment.	Unknown	scripts/connections.py:104
HIGH	Credential Harvesting via `headers` parameter in evaluation script The `scripts/connections.py` module allows injecting arbitrary HTTP headers when using `sse` or `http` transports. The `create_connection` function passes the `headers` parameter directly to `sse_client` or `streamablehttp_client`. The `scripts/evaluation.py` script exposes this parameter directly as a command-line argument (`--headers`). An attacker controlling this `headers` parameter could inject sensitive headers (e.g., `Authorization` tokens) or manipulate request behavior, potentially leading to credential harvesting or unauthorized access if the LLM is tricked into providing such information. Sanitize or strictly validate the `headers` parameter, disallowing sensitive header names or values from untrusted sources. For the evaluation script, ensure that any user-provided input for this parameter is thoroughly validated or that the script is only run in a trusted, isolated environment.	Unknown	scripts/connections.py:104
MEDIUM	Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Unknown	/tmp/skillscan-clone-xk66uke_/repo/skills/mcp-builder/scripts/requirements.txt:1
MEDIUM	Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Unknown	/tmp/skillscan-clone-xk66uke_/repo/skills/mcp-builder/scripts/requirements.txt:2
LOW	Unpinned dependencies in `requirements.txt` The `scripts/requirements.txt` file specifies dependencies with minimum versions (`>=`) rather than exact versions (`==`). This practice can lead to supply chain risks, as newer versions of libraries might introduce breaking changes, new vulnerabilities, or unexpected behavior without explicit review. While common, exact pinning is a stronger security posture. Pin all dependencies to exact versions (e.g., `anthropic==0.39.0`, `mcp==1.1.0`). Use a dependency management tool that generates a lock file (e.g., `pip-compile` with `requirements.in` and `requirements.txt`, or Poetry/Rye) to ensure reproducible builds and prevent unexpected dependency updates.	Unknown	scripts/requirements.txt:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/2ea52f48a048de6e.svg)](https://skillshield.io/report/2ea52f48a048de6e)