Security Audit
snyk/agent-scan:tests/skills/mcp-builder
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/mcp-builder received a trust score of 27/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned Python dependency version, Command Injection via stdio transport parameters, Data Exfiltration via environment variable injection in stdio transport.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via stdio transport parameters The `scripts/connections.py` file allows for the creation of an MCP connection using the `stdio` transport. The `command`, `args`, and `env` parameters for this connection are directly passed to `stdio_client` without sanitization. If an untrusted source (e.g., a malicious LLM response or user-controlled input) can provide these parameters, arbitrary commands can be executed on the host system. The `scripts/evaluation.py` script exposes these parameters directly as command-line arguments, making it vulnerable if the script is run with untrusted inputs. Implement strict validation and sanitization for `command`, `args`, and `env` parameters when using the `stdio` transport. Consider using a whitelist of allowed commands and arguments, or disallow arbitrary command execution entirely for untrusted inputs. If the `stdio` transport is intended for internal, trusted processes only, ensure that external, untrusted inputs cannot influence these parameters. | Static | scripts/connections.py:100 | |
| HIGH | Data Exfiltration via environment variable injection in stdio transport The `scripts/connections.py` file allows an `env` dictionary to be passed directly to the `stdio_client` for the `stdio` transport. This enables an attacker, if they can control the `env` parameter (e.g., through command-line arguments in `scripts/evaluation.py` or a manipulated LLM tool call), to inject arbitrary environment variables into the executed process. This could be used to exfiltrate sensitive environment variables (e.g., API keys, secrets) by passing them to a controlled external service or logging them. Restrict the `env` parameter for `stdio` connections to a predefined, safe set of variables, or disallow arbitrary environment variable injection. Ensure that no sensitive information is exposed through environment variables that could be accessed by a potentially compromised process. | Static | scripts/connections.py:100 | |
| HIGH | Prompt Injection via untrusted evaluation questions In `scripts/evaluation.py`, the `question` field from the evaluation XML file is directly inserted into the LLM's `messages` as user content. If the evaluation XML (or the `question` within it) is sourced from an untrusted or user-controlled input, an attacker could craft a malicious `question` to perform prompt injection. This could manipulate the LLM's behavior, override its system prompt (`EVALUATION_PROMPT`), or coerce it into revealing sensitive information or performing unintended actions through tool calls. Implement robust input sanitization and validation for the `question` content before passing it to the LLM. Consider using techniques like input filtering, escaping, or a separate, more restrictive prompt template for untrusted user inputs. Ensure that the LLM's system prompt is sufficiently robust to resist common injection attempts. | LLM | scripts/evaluation.py:100 | |
| MEDIUM | Unpinned Python dependency version Requirement 'anthropic>=0.39.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/mcp-builder/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp>=1.1.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | tests/skills/mcp-builder/scripts/requirements.txt:2 | |
| INFO | Unpinned dependencies in requirements.txt The `scripts/requirements.txt` file uses `>=` for dependency pinning (`anthropic>=0.39.0`, `mcp>=1.1.0`). While this ensures a minimum version, it allows for automatic updates to newer versions without explicit review. This could potentially introduce breaking changes or security vulnerabilities if a future version of a dependency contains a flaw. Fully pinning dependencies (`==`) provides more deterministic builds and reduces the risk of unexpected changes. Consider pinning dependencies to exact versions (e.g., `anthropic==0.39.0`) to ensure deterministic builds and prevent unexpected updates. Regularly review and update dependencies to incorporate security fixes while maintaining control over the versions used. | Static | scripts/requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/3fa06574e6a48585)
Powered by SkillShield