Skillv1.0.0

ClawScan security

Create MCP Server · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 10:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match the claimed purpose (using mcpheroctl to build/deploy MCPHero servers) but the skill metadata omits required binaries/credentials and the runtime guidance involves creating and persisting sensitive tokens — the mismatch and secret-handling deserve attention.
Guidance: This skill's instructions legitimately use the mcpheroctl CLI and involve creating/persisting API keys and bearer tokens, but the registry metadata doesn't declare those requirements. Before installing or using: (1) verify you trust mcphero.app and the mcpheroctl binary source (install from the official tap or vendor); (2) do not paste high-privilege production secrets — create least-privilege API keys or test accounts for onboarding; (3) be aware the workflow will ask you to submit env-var values and will produce a server bearer_token you must store — inspect where you save it (e.g., claude_desktop_config.json) and prefer secure storage; (4) consider running the CLI steps manually first to see what data is sent and what code is generated, and review generated code before deploying; (5) ask the skill author to update the metadata to list mcpheroctl as a required binary and to declare the required credential(s) so you can make an informed decision. If you want, provide me the mcpheroctl commands you plan to run and I can point out which ones will handle secrets and where they'll be stored.

Review Dimensions

Purpose & Capability: concernThe SKILL.md is clearly about using the mcpheroctl CLI and an MCPHero organization API key to create servers. However the registry metadata declares no required binaries or env vars, which is inconsistent — the skill practically requires installing mcpheroctl and an MCPHero API token.
Instruction Scope: noteThe runtime instructions stay on-topic: they describe a step-by-step mcpheroctl wizard flow, polling for async states, submitting env-var values, generating code, and deploying. They also instruct saving/using bearer tokens and updating client configs (e.g., Claude Desktop). That secret handling is within the stated purpose but is sensitive and should be explicit in metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec. The SKILL.md suggests installing mcpheroctl via Homebrew or 'uv tool install' — both are common, non-arbitrary installers. There are no downloads or extraction instructions in the skill itself.
Credentials: concernAlthough the skill needs an MCPHero org API token and will require service-specific env vars (e.g., internal API base URLs and bearer tokens) at runtime, the metadata lists no required env vars or primary credential. The skill also instructs producing and persisting a server bearer_token (sensitive). The missing declaration of these credentials is disproportionate to the metadata and reduces transparency.
Persistence & Privilege: okThe skill is not marked 'always' and does not request system-wide privileges. The only persistence implied is the normal workflow outcome: generation of a long-lived server bearer_token that the user is instructed to save (and optionally write into a client config). This is expected for this purpose but is sensitive.