Fluora Setup
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Fluora setup purpose, but it downloads and executes unpinned GitHub code while setting up a fundable crypto wallet and persistent MCP configuration.
Use this only if you trust Fluora and the GitHub repository it clones. Prefer pinning/reviewing a specific commit, run setup in a controlled environment, fund the generated wallet with the minimum needed, and inspect ~/.fluora/wallets.json and your mcporter config after installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that actually runs can change if the upstream repository or its dependencies change, and it may run with access to the local wallet/configuration created by the setup.
The skill fetches code from a live GitHub repository, installs dependencies, builds it, and executes the built server, but the artifacts do not pin a commit/tag or show integrity verification. Because that downloaded code is part of a wallet/payment setup, the unreviewed upstream code materially affects user risk.
const FLUORA_REPO = 'https://github.com/fluora-ai/fluora-mcp.git'; ... execCommand(`git clone ...`); execCommand('npm install', { cwd: FLUORA_DIR }); execCommand('npm run build', { cwd: FLUORA_DIR }); ... execCommand(`timeout 5 node build/index.js || true`, { cwd: FLUORA_DIR })Review the upstream repository, pin a known commit or release, and run the setup in a controlled environment before funding the wallet.
Anyone or any future code with access to ~/.fluora/wallets.json could potentially spend the funded wallet balance.
The setup creates/reads a local crypto wallet private key and asks the user to fund that wallet. The included code uses the private key to derive the public address and does not show exfiltration, but the key controls real funds.
const WALLET_PATH = path.join(os.homedir(), '.fluora', 'wallets.json'); ... privateKey = wallet.privateKey; ... const wallet = new Wallet(privateKey); ... warn('2. Send $5-10 USDC to the address above'); warn('4. Also send ~$0.50 ETH for gas fees');Fund only a small amount, protect the wallet file, back it up safely if needed, and do not fund it until you trust the downloaded Fluora code.
Running the setup can execute local shell commands and replace the existing Fluora workspace directory if the user approves that prompt.
The script uses shell execution for setup tasks, including optional removal of its own fluora-mcp workspace directory and running npm/build commands. This is central to the stated setup purpose, but it is still high-authority local execution.
return execSync(command, { stdio: 'pipe', encoding: 'utf8', ...options }); ... execCommand(`rm -rf "${FLUORA_DIR}"`);Run it only intentionally, read prompts carefully, and back up any local changes under ~/.openclaw/workspace/fluora-mcp before allowing re-clone.
Future mcporter/OpenClaw use may launch the local Fluora registry and interact with Fluora services, including paid services when invoked.
The setup persists a new mcporter MCP server entry that future sessions can use. This is disclosed and purpose-aligned, but it changes future agent/tool behavior beyond the one-time setup run.
config.mcpServers['fluora-registry'] = { command: 'node', args: [fluoraBuildPath], env: { ENABLE_REQUEST_ELICITATION: 'true', ELICITATION_THRESHOLD: '0.01' } }; ... fs.writeFileSync(configPath, JSON.stringify(config, null, 2));Inspect the mcporter config after setup and remove the fluora-registry entry if you no longer want Fluora available.