Skill Audit Report

ai-skill-audit audit examples/mcp.json --llm --verbose --output html

Source: examples/mcp.json

mcp.json

C
mcp-config mcp-config Score: 68%
command_safety 20% weight 30%
filesystem_scope 100% weight 25%
secret_hygiene 60% weight 20%
network_trust 100% weight 25%
Verdict: warn Profile: mcp-config Malice: low Capability: low

warn: no active security findings; profile=mcp-config

Details & Suggestions

command_safety (20%)

  • [risky-server] Shell interpreter allows arbitrary command execution
  • [risky-server] Inline code execution flag in args

filesystem_scope (100%)

  • No overly broad filesystem access detected

secret_hygiene (60%)

  • [risky-server] Secret/token in environment: API_SECRET has hardcoded value

network_trust (100%)

  • No network exposure or suspicious URL issues

LLM Security Review

CRITICAL
  • The risky-server pipes a remote shell script directly into bash, granting full arbitrary code execution from an untrusted URL.
    Fix: Remove this server and replace with a vetted, pinned MCP package installed locally.
  • A live-looking API secret is hardcoded in plaintext inside the env block.
    Fix: Rotate the key immediately and load it from a secret manager or environment variable reference.
HIGH
  • The filesystem server is granted access to the entire ~/projects directory, exposing all project source and any embedded secrets.
    Fix: Scope the filesystem server to the specific subdirectory required for the current task.
MEDIUM
  • npx -y auto-installs the latest unpinned package version, enabling silent supply-chain swaps.
    Fix: Pin to a specific version (e.g., @modelcontextprotocol/server-filesystem@x.y.z) or install locally.
  • The remote install script is fetched over a non-integrity-checked URL with no checksum verification.
    Fix: Avoid curl-to-bash; download, inspect, and verify a pinned hash before execution.

Some concerns MCP config (2 server(s), 3 finding(s), risk: CRITICAL) (weakest: command_safety)