Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cherry Mcp
v1.0.3HTTP bridge that keeps MCP servers alive and exposes them via REST. Built for OpenClaw agents that need MCP tools without native MCP support.
⭐ 0· 1.3k·0 current·0 all-time
byEULOxGOS@bitbrujo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: bridge spawns MCP servers as child processes, keeps them alive, exposes tools over HTTP, and provides a CLI to manage config. Required files and behavior are consistent with implementing an MCP-to-HTTP bridge.
Instruction Scope
SKILL.md and CLI limit which commands are run to those in config.json (no HTTP endpoint to run arbitrary shell commands). However the service inherits the process environment for spawned servers and the project stores server env vars in plaintext config.json by default (the README warns about this). Also the server sets Access-Control-Allow-Origin: '*' which makes a localhost-only service easier to be accessed via a remote webpage (CSRF/CORS risk).
Install Mechanism
No external install/downloads or odd install steps are included in the package; files are local JS scripts and package.json. No network fetches or archive extractions are performed by an installer.
Credentials
The skill declares no required credentials (correct). But it allows you to store arbitrary env vars per server in config.json (saved plaintext). That's expected for running third-party MCP tools, but it increases the risk of accidental secret leakage or exfiltration if the local HTTP API is abused or if config.json is committed to source control.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and runs as a normal process. It requires no elevated platform privileges beyond spawning child processes and writing local logs/config, which is appropriate for its purpose.
What to consider before installing
This package implements exactly what it claims, but pay attention to these security implications before installing:
- Secrets handling: The CLI can save server-specific environment variables into config.json in plaintext. Do not store long-lived API keys there; instead export them in the shell before starting the bridge, add config.json to .gitignore, or use an alternative secret store.
- Arbitrary commands: The bridge will spawn whatever command you add to config.json. Only add commands you trust. A misconfigured server entry could run anything on your machine.
- Localhost exposure & CORS: Although the server binds to 127.0.0.1, it sets Access-Control-Allow-Origin: '*'. That makes it possible for a malicious website open in your browser to issue requests to the bridge and read responses (same-origin protections defeated by the wildcard CORS). If you run this on a desktop, either remove or restrict the CORS header, enable the IP allowlist, or set strong rate limits and audit logging.
- Audit & controls: Enable audit logging and an IP allowlist if you plan to expose tools that act on sensitive accounts. Configure rate limits to reduce impact of automated requests.
- Least privilege & isolation: Run the bridge with minimal OS privileges (non-root user) and consider containerizing it. Review every server entry before starting and avoid running untrusted MCP packages under your main account.
If you want me to mark specific lines to change (e.g., remove wildcard CORS, harden default config, or prompt before writing env values to config.json), I can produce a patch or recommended code edits. If you need higher assurance, ask the author for provenance or run the bridge in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk974mq8fsrrmhnvwmc6hbz3nbx80taqy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.