Tmp.SOVvMo1n6G
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ofw-mcp Version: 2.0.8 The skill provides a Model Context Protocol (MCP) interface for OurFamilyWizard (OFW), enabling co-parenting management tasks like messaging, calendar events, and expense tracking. The SKILL.md file includes responsible instructions for the AI agent, explicitly advising it to confirm actions before sending or deleting data and to warn users about side effects like marking messages as read. Setup procedures (npx, npm) and credential handling via environment variables (OFW_USERNAME, OFW_PASSWORD) are standard for MCP integrations and show no signs of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The MCP server can act with the user's OFW account privileges, including access to private messages, contact details, calendar, expenses, and journal content.
The skill instructs users to provide direct OFW account credentials even though the registry metadata declares no primary credential or required environment variables. Those credentials unlock sensitive co-parenting records and write actions.
"OFW_USERNAME": "you@example.com", "OFW_PASSWORD": "yourpassword"
Only use this if you fully trust the external MCP package. Prefer a dedicated or revocable credential if OFW supports it, avoid storing passwords in broadly readable config files, and ensure the skill metadata clearly declares the credential requirement.
An agent could make changes to OFW records that may matter in a legal co-parenting context, including expenses, calendar entries, journal entries, or sent messages.
The tool set includes high-impact actions such as sending messages, creating expenses, creating journal entries, updating events, and permanent event deletion. The caution section covers confirmation for sending and deleting, but not all create/update actions.
MCP server for OurFamilyWizard — provides read/write access to messages, calendar, expenses, and journal.
Require explicit user approval before every OFW state-changing action, including create, update, send, mark-read, last-seen updates, and delete. Show the exact fields and recipients before execution.
If the npm package or its dependencies are compromised or change behavior later, the user's OFW credentials and co-parenting data could be exposed or misused.
The setup runs an external npm package without pinning a version in the instruction, and no package code or install spec is included in the provided artifacts. That package would receive OFW credentials and account access.
"command": "npx", "args": ["-y", "ofw-mcp"]
Pin a trusted version, review the package source and dependencies before use, prefer a lockfile or audited install path, and do not provide OFW credentials to unreviewed code.