Trust Assessment
mcps received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $GITLAB_TOKEN, Arbitrary Command Execution via mcps Configuration, Broad System Access Due to Arbitrary Command Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via mcps Configuration The `mcps` tool is designed to launch external processes by specifying `command` and `args` parameters when adding or configuring MCP servers. If an LLM is instructed to use `mcps add` or modify the `~/.mcps/mcp.json` configuration with untrusted input for these parameters, it can lead to arbitrary command execution on the host system. The documentation explicitly demonstrates this capability with `uvx` and `npx`. When interacting with `mcps add` or configuration files, strictly sanitize or validate all `command` and `args` parameters if they originate from untrusted sources. Consider implementing a whitelist of allowed commands and arguments, or sandboxing the execution environment for `mcps` and its spawned processes. | LLM | SKILL.md:19 | |
| HIGH | Broad System Access Due to Arbitrary Command Execution The `mcps` tool's core functionality involves executing arbitrary commands (`uvx`, `npx`, etc.) and interacting with various system resources (e.g., PostgreSQL, GitLab, local files for JSON parameters). This grants the `mcps` process, and any LLM controlling it, broad permissions equivalent to the user running the tool. This level of access is excessive if the tool is exposed to untrusted input without proper sandboxing or validation. Implement strict input validation and sanitization for all parameters passed to `mcps` commands, especially those that influence command execution or file access. Consider running the `mcps` tool and the LLM agent in a sandboxed environment with minimal necessary permissions. | LLM | SKILL.md:19 | |
| MEDIUM | Sensitive environment variable access: $GITLAB_TOKEN Access to sensitive environment variable '$GITLAB_TOKEN' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/maplezzk/mcps-skill/SKILL.md:59 | |
| MEDIUM | Unpinned npm Dependency in Installation Instructions The installation instruction `npm install -g @maplezzk/mcps` does not specify a version for the `@maplezzk/mcps` package. This means that executing this command will always install the latest available version. If a malicious update is published to the npm registry, it could lead to a supply chain attack, compromising the system where the skill is installed. Pin the dependency to a specific, known-good version (e.g., `npm install -g @maplezzk/mcps@1.2.3`). Regularly review and update the pinned version after verifying its integrity and security. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/651f97ca826ee391)
Powered by SkillShield