Back to skill

Security audit

mcp-adapter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MCP bridge, but it needs Review because it delegates broadly to external MCP tools while shipping a vulnerable MCP SDK version and an overbroad stdio configuration schema.

Install only if you trust the MCP endpoints you configure and can keep them least-privileged. Avoid production databases, secrets, or account-mutating tools until the package updates the MCP SDK to a patched version, documents the trust boundary clearly, and either implements stdio safely with explicit consent or removes the stdio schema.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to discover and call arbitrary external MCP server tools, which is effectively network-capable behavior, yet the skill declares no permissions or trust boundaries. This creates a real security gap because users and policy systems are not clearly informed that the skill can reach external services, access remote data, and potentially invoke sensitive operations exposed by connected MCP servers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README presents a database-query capability as a normal example without warning that querying connected databases may expose sensitive or regulated data. In an agent-tooling context, documentation examples strongly influence deployment patterns, and this can normalize granting an AI broad database access without approval gates, least-privilege controls, or data-sensitivity guidance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents a generic `mcp` tool that can enumerate and invoke arbitrary tools across connected MCP servers, including over remote HTTP, but does not warn users that prompts, arguments, or retrieved data may be transmitted to external systems. In an agent setting, this omission can lead to inadvertent exfiltration of sensitive user data or unsafe delegation to untrusted remote services because the interface normalizes broad external capability behind a single tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin exposes a generic tool that forwards requests and arguments to configured MCP servers, but the user-facing interface does not clearly warn that invoking a tool may send data to remote third-party services or trigger remote side effects. In this skill’s context, that omission is meaningful because MCP is explicitly designed to bridge agents to external tools and data sources, so a user or upstream agent could unknowingly disclose sensitive inputs or cause remote actions.

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.25.3 — 1 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport)

High
Category
Supply Chain
Confidence
97% confidence
Finding
@modelcontextprotocol/sdk==1.25.3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.