Trust Assessment
mcp-hub received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Excessive Permissions Declared in Manifest, Potential Command Injection via 'npx' Execution, Data Exfiltration Risk via File Operations.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions Declared in Manifest The skill's manifest explicitly declares highly privileged tools such as 'computer', 'code_execution', and 'file_operations'. These tools grant the AI agent broad access to the host system, including the ability to execute arbitrary commands, read/write/delete files, and interact with the operating system. This level of access poses a severe security risk, as a compromised or malicious skill could lead to complete system compromise or data loss. Review and restrict the declared tools to the absolute minimum necessary for the skill's intended functionality. Avoid 'computer', 'code_execution', and 'file_operations' unless absolutely critical and with robust sandboxing. Implement strict input validation and output sanitization for any remaining privileged operations. | LLM | Manifest | |
| CRITICAL | Potential Command Injection via 'npx' Execution The skill's configuration example demonstrates the use of 'npx' to execute external Node.js packages (e.g., '@modelcontextprotocol/server-filesystem'). 'npx' is a command-line utility for executing arbitrary packages. If the arguments passed to 'npx' can be influenced by untrusted input, or if the packages themselves are compromised, it creates a direct command injection vulnerability, allowing arbitrary code execution on the host system. The '-y' flag further exacerbates this by automatically confirming package installation without user intervention. Avoid direct execution of external commands like 'npx' with untrusted inputs. If external package execution is unavoidable, ensure all arguments are strictly controlled and sanitized. Consider using a more secure, sandboxed environment for such operations. Implement strict allow-listing for executable commands and their arguments. | LLM | SKILL.md:45 | |
| HIGH | Data Exfiltration Risk via File Operations The skill explicitly states that 'filesystem MCP provides these tools: read_file(path), write_file(path, content), list_directory(path), search_files(query)'. Combined with the 'file_operations' tool declared in the manifest, this creates a clear and direct path for the AI agent to read, write, list, and search for files on the host system. This capability can be abused to exfiltrate sensitive data, modify critical system files, or introduce malicious content. If file operations are necessary, implement strict access controls, path restrictions (e.g., only allow access to a specific, isolated directory), and content validation. Ensure that the AI agent cannot access sensitive system directories or files. Log all file access attempts for auditing. | LLM | SKILL.md:70 | |
| MEDIUM | Supply Chain Risk from External MCP Server Discovery The skill encourages users to discover and potentially install additional MCP servers from external marketplaces and repositories (e.g., 'mcp.run', 'awesome-mcp-servers', 'mcp-awesome.com'). This broad recommendation without strong vetting mechanisms for third-party servers introduces a significant supply chain risk. Users might install malicious or compromised MCP servers, leading to arbitrary code execution, data exfiltration, or other security incidents on their systems. Provide clear warnings about the risks of installing unverified third-party tools. Recommend only official or thoroughly vetted MCP servers. If possible, implement a mechanism to verify the integrity and authenticity of MCP server packages before installation. Educate users on how to identify and avoid malicious packages. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/5b32caec6ebb7d66)
Powered by SkillShield