Back to skill
Skillv0.2.4
ClawScan security
Mcp Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:25 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: a small Python wrapper that sends plain-text search queries to a documented external API and returns server results; it requests no credentials or unusual system access.
- Guidance
- This skill sends whatever you type as the search query to an external service (https://api.rhdxm.com). Do not include passwords, API keys, proprietary code, or other sensitive data in queries because the remote service will receive and may log them. Review the GitHub project and the API provider's privacy/security posture if you intend to use it for sensitive workflows. If you need full control over data, consider self-hosting an index or using a provider you control.
Review Dimensions
- Purpose & Capability
- okName/description (find MCP servers) match the code and instructions. The only required binary is python3 and the code performs HTTP queries to api.rhdxm.com to retrieve indexed servers — this is proportional to the stated purpose.
- Instruction Scope
- okSKILL.md instructs running finder.py or calling the documented API and explicitly warns that queries are transmitted. The included finder.py only reads command-line args and performs an HTTPS POST to /find; it does not read local files, environment variables, or other system state.
- Install Mechanism
- okNo install spec provided (instruction-only with one small script). Nothing is downloaded or written to disk by an installer, and no external packages are required beyond Python stdlib.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access any. No excessive or unrelated secrets are requested.
- Persistence & Privilege
- okSkill is not forced-always; it is user-invocable and allows autonomous invocation by default (normal). It does not attempt to modify other skill configs or request persistent system privileges.