Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Create MCP Server
v1.0.0Create, deploy, and manage MCP (Model Context Protocol) servers using the MCPHero platform via the mcpheroctl CLI. Use this skill when the user wants to buil...
⭐ 0· 84·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the SKILL.md: it documents an end‑to‑end mcpheroctl wizard workflow to create, configure, and deploy MCP servers. There are no unexpected credential requests, unrelated binaries, or unrelated install steps declared.
Instruction Scope
Instructions stay within the stated purpose (run mcpheroctl wizard commands, poll wizard state, submit tools/env vars, save bearer token, deploy). The skill explicitly tells the operator to submit environment variable values and to save/use the returned bearer token (and the evals indicate guidance to edit local client config like Claude Desktop). This is expected for the use case, but it means the agent/operator will be placing secrets into the MCPHero backend and potentially writing local config files — be deliberate and explicit with those steps.
Install Mechanism
This is instruction‑only and has no install spec. It suggests installing mcpheroctl via Homebrew or 'uv tool install', which are standard distribution mechanisms for CLI tools. No arbitrary URL downloads or archive extraction are instructed by the skill itself.
Credentials
Although the skill declares no required environment variables (it's instruction-only), its workflow requires you to provide environment variable values and bearer tokens to MCPHero (database credentials, API bearer tokens, etc.) during the wizard. That is functionally necessary for wrapping internal services, but it is a sensitive operation: you will be transmitting secrets to mcphero.app and storing them there. The skill does not document least‑privilege recommendations, token scopes, or secret handling/rotation — consider this before supplying production credentials.
Persistence & Privilege
The skill does not request always:true and is user‑invocable only. It does not attempt to modify other skills or system settings beyond instructing the user to save tokens or update a client config (which is within its scope). Autonomous invocation is allowed (platform default) but not combined with any unusual privileges.
Assessment
This skill appears to do what it claims (it walks you through using mcpheroctl to create and deploy MCPHero servers). The key risk is data/credential exposure: the wizard will ask you to submit environment variables and bearer tokens that the MCPHero backend will store and use. Before using it: 1) confirm you trust mcphero.app and understand where secrets are stored and how they are protected; 2) prefer short‑lived or least‑privilege credentials (service accounts with minimal scope) rather than full production tokens; 3) test in a non‑production environment first; 4) if the skill or your workflow instructs you to edit local client configs (e.g., Claude Desktop), back up existing config files first; and 5) rotate or revoke any credentials you provide if you stop using the deployed server. If you need stronger assurance, ask for documentation from the MCPHero provider about secret handling or consider self‑hosting alternatives that keep credentials inside your network.Like a lobster shell, security has layers — review code before you run it.
latestvk97d3z4cv1bepdm7gc9kb5k81183ave8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.