ClawHub

MCP Security Auditor Lite

v1.0.0

Free version — scan your MCP configuration for the top 3 security risks. Tool description injection, permission sprawl, and supply chain trust.

0· 40·0 current·0 all-time
by@apex-stack-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match SKILL.md: it promises a lightweight, manual-style security scan of MCP configs across three dimensions. There are no unexpected binaries, env vars, or installs required.
Instruction Scope
The skill is instruction-only and asks the agent to evaluate MCP config/tool lists provided by the user using the included rubrics. This is expected, but the rubric-driven analysis is manual reasoning rather than automated checks; the user must supply config data (which may contain secrets) and the agent will analyze it.
Install Mechanism
No install spec or code files; lowest-risk delivery model. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required credentials or environment access (appropriate). However, it requires the user to paste MCP configs/tool lists — those artifacts can contain sensitive secrets or tokens, so the user should sanitize inputs before sharing.
Persistence & Privilege
always is false and default invocation behavior is normal. The skill does not request persistent presence or system-wide changes.
Assessment
This skill is a checklist-style, manual analyzer and is internally consistent with its description. Before using it: do not paste live secrets, API keys, or private keys into the chat — sanitize or redact sensitive fields; verify any remediation steps before applying them; treat the paid-version link as an external marketing URL (don’t provide credentials there); and remember the output is agent reasoning (not an automated code audit), so consider running independent tooling for confirmatory checks if you need high assurance.

Like a lobster shell, security has layers — review code before you run it.

auditvk975awec0ftzn9c74qjy4d32gh842btvclaude-skillsvk975awec0ftzn9c74qjy4d32gh842btvdevsecopsvk975awec0ftzn9c74qjy4d32gh842btvlatestvk975awec0ftzn9c74qjy4d32gh842btvmcpvk975awec0ftzn9c74qjy4d32gh842btvsecurityvk975awec0ftzn9c74qjy4d32gh842btvtool-poisoningvk975awec0ftzn9c74qjy4d32gh842btv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments