SkillAudit report — mcp-use/mcp-use
Scanned 2026-04-30 by SkillAudit v0.3 (surface-tiered static checks + LLM-assisted prompt-injection red-team).
Commit: ba0a357 · Stars: 9804 · Days since last push: 0
LLM prompt-injection probe: skipped — set ANTHROPIC_API_KEY to enable the LLM-assisted prompt-injection red-team
Overall grade: F (0/100)
| Axis | Score | Grade | |
|---|---|---|---|
| security | 0/100 | F | ❌ |
| permissions | 100/100 | A | ✅ |
| credentials | 0/100 | F | ❌ |
| maintenance | 100/100 | A | ✅ |
| compatibility | 70/100 | C | ⚠️ |
| docs | 100/100 | A | ✅ |
Security findings
Production sources:
- HIGH
libraries/typescript/packages/cli/src/commands/auth.ts:37— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
const response = await fetch(url, {
- HIGH
libraries/typescript/packages/cli/src/commands/auth.ts:69— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
const response = await fetch(url, {
- HIGH
libraries/typescript/packages/cli/src/commands/skills.ts:74— HTTP client call with user-controlled argument 'tarballUrl' — no URL allowlist / validation found in file
const response = await fetch(tarballUrl);
- HIGH
libraries/typescript/packages/cli/src/commands/skills.ts:58— Template-string URL with interpolation — no validation possible on composed string
fetch(\${TELEMETRY_URL}?${params.toString()}\).catch(() => {});
- HIGH
libraries/typescript/packages/cli/src/index.ts:121— Template-string URL with interpolation — no validation possible on composed string
await fetch(\http://${host}:${port}\);
- HIGH
libraries/typescript/packages/cli/src/index.ts:152— Template-string URL with interpolation — no validation possible on composed string
const response = await fetch(\http://${host}:${port}/inspector/health\, {
- HIGH
libraries/typescript/packages/cli/src/index.ts:1667— Template-string URL with interpolation — no validation possible on composed string
await fetch(\${apiBase}/api/tunnels/${existingSubdomain}\, {
- HIGH
libraries/typescript/packages/cli/src/index.ts:1858— Template-string URL with interpolation — no validation possible on composed string
await fetch(\${apiBase}/api/tunnels/${tunnelSubdomain}\, {
- HIGH
libraries/typescript/packages/cli/src/index.ts:2373— Template-string URL with interpolation — no validation possible on composed string
await fetch(\${apiBase}/api/tunnels/${tunnelSubdomain}\, {
- HIGH
libraries/typescript/packages/cli/src/index.ts:2400— Template-string URL with interpolation — no validation possible on composed string
await fetch(\${apiBase}/api/tunnels/${existingSubdomain}\, {
Test source (low-weight) — 3 total, deduct 5/0 per high/warn:
- HIGH
libraries/typescript/packages/inspector/tests/e2e/connection.test.ts:883— HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file
const response = await fetch(url, {
- HIGH
libraries/typescript/packages/inspector/tests/e2e/scripts/run-python-e2e.mjs:55— child_process.spawn with shell:true — arguments are parsed by sh/cmd, not argv'd
const proc = spawn(command, args, {
- HIGH
libraries/typescript/packages/inspector/tests/e2e/scripts/run-python-e2e.mjs:81— child_process.spawn with shell:true — arguments are parsed by sh/cmd, not argv'd
const proc = spawn(command, args, {
Permissions
_No findings on this axis._
Credentials
Production sources:
- HIGH
docs/python/client/authentication/bearer.mdx:22— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 20 chars)
- HIGH
docs/python/client/authentication/bearer.mdx:84— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 20 chars)
- HIGH
docs/typescript/client/authentication.mdx:76— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 20 chars)
- HIGH
docs/typescript/client/authentication.mdx:89— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 20 chars)
- HIGH
docs/typescript/client/authentication.mdx:111— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 20 chars)
Examples / samples (low-weight) — 5 total, deduct 5/0 per high/warn:
- HIGH
libraries/python/.env.example:14— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 26 chars)
- HIGH
libraries/python/.env.example:26— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 27 chars)
- HIGH
libraries/python/.env.example:29— Hardcoded OpenAI / Anthropic-style API key found in source
sk-*** (OpenAI / Anthropic-style API key, 34 chars)
- HIGH
libraries/python/.env.example:29— Hardcoded Anthropic API key found in source
sk-ant-*** (Anthropic API key, 34 chars)
- HIGH
libraries/typescript/packages/mcp-use/examples/agent/advanced/observability.ts:28— console.* of process.env — entire env leaks to stdout/stderr and LLM context
console.log(
Maintenance
_No findings on this axis._
Compatibility
Production sources:
- WARN
(meta)— No engines (Node) or python_requires declared — cross-client compatibility unverified
Documentation
_No findings on this axis._
Methodology
SkillAudit v0.3 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the published rubric — surface tiers, per-(axis, surface) caps, grade buckets, and worked examples are all documented there.
The v0.3 calibration update introduces surface tiering: every finding is tagged with the code path it lives in (production / installer / examples / benchmarks / scripts / test). Production findings deduct at full weight (-30 high, -10 warn); installer findings deduct at half (-15 / -5); examples, benchmarks, top-level scripts, and tests deduct at low weight (-5 / 0). This stops a chatty benchmarks/ or samples/ directory from dominating an otherwise-clean MCP server's grade.
The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.
How to improve this grade
- Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use
execFilewith argv arrays instead ofexecwith template strings; never pass untrusted strings tosubprocesswithshell=True. - Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g.,
<untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output. - Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
- Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
- Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.
_Report generated by skillaudit.dev_
Want your repo audited?
First 100 audits go to waitlist signups in order. The engine runs against public GitHub URLs today.
Join the waitlist →