Trust Assessment
mcp-builder received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 0 high, 4 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Arbitrary command execution via stdio transport, Unpinned dependencies in requirements.txt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution via stdio transport The `scripts/connections.py` module defines an `MCPConnectionStdio` class that directly executes a command and its arguments using `stdio_client`. The `scripts/evaluation.py` script's `main` function takes `command`, `args`, and `env` as command-line arguments and passes them directly to `create_connection`, which then uses them to instantiate `MCPConnectionStdio`. If an attacker can control these command-line arguments (e.g., through a compromised environment, or if the LLM is prompted to construct malicious arguments for the evaluation script), they can achieve arbitrary code execution on the host system. 1. **Sanitize/Validate Inputs**: Thoroughly sanitize and validate `command`, `args`, and `env` parameters before passing them to `stdio_client`. Only allow a predefined whitelist of commands and arguments. 2. **Least Privilege**: Run the MCP server process with the absolute minimum necessary permissions. 3. **Isolate Execution**: Consider running `stdio` connections within a sandboxed environment (e.g., Docker container, gVisor) to limit the blast radius of any command injection. 4. **Avoid Direct Execution**: If possible, redesign the `stdio` transport to use a more controlled IPC mechanism rather than direct command execution. | LLM | scripts/connections.py:60 | |
| MEDIUM | Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/mcp-builder/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/mcp-builder/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned dependencies in requirements.txt The `scripts/requirements.txt` file specifies dependencies (`anthropic`, `mcp`) using `>=` operators. This allows for any future version of these packages to be installed, including potentially malicious or incompatible versions. This increases the risk of supply chain attacks if a future version of a dependency is compromised. Pin dependencies to exact versions (e.g., `anthropic==0.39.0`) or use a tilde operator for minor version updates (e.g., `anthropic~=0.39.0`) to ensure reproducible and secure builds. Regularly review and update pinned dependencies. | LLM | scripts/requirements.txt:1 | |
| MEDIUM | Ability to connect to arbitrary external MCP servers The `scripts/connections.py` module allows the creation of `MCPConnectionSSE` and `MCPConnectionHTTP` instances that can connect to any specified `url` with arbitrary `headers`. The `scripts/evaluation.py` script's `main` function takes `url` and `headers` as command-line arguments and passes them directly to `create_connection`. If an attacker can control these arguments, they could direct the skill to connect to a malicious external server. This could lead to data exfiltration from the MCP server, or other network-based attacks. 1. **Whitelist URLs**: If possible, restrict the `url` parameter to a predefined whitelist of trusted MCP server endpoints. 2. **Input Validation**: Implement strict validation for `url` and `headers` to prevent common attack patterns (e.g., SSRF, header injection). 3. **Network Segmentation**: Run the skill in an environment with network policies that restrict outbound connections to only necessary and trusted endpoints. | LLM | scripts/connections.py:70 |
Scan History
Embed Code
[](https://skillshield.io/report/4385355cf7007e3a)
Powered by SkillShield