ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mcp Hello World

v1.0.2

最小可行 MCP 服务器示例 - 在 OpenClaw 中调用 MCP 工具(add 计算 + hello_world 问候)

0· 153·0 current·0 all-time
by@crystaria
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: a minimal MCP server using Node.js, providing two simple tools. Requested binary (node) and declared npm usage are appropriate and proportional to the stated purpose.
Instruction Scope
SKILL.md and bundled scripts direct the agent to install deps (npm install), start the server (npm start / node src/server.js), and call tools via mcporter stdio. The instructions reference example local paths and mcporter config but do not instruct reading unrelated system files or exfiltrating data.
Install Mechanism
No arbitrary URL downloads or extract steps; installation is via npm and the repository contains package.json/package-lock.json and source files. Note: SKILL.md includes an 'install' entry for npm, but the registry metadata earlier said 'No install spec'—a minor metadata inconsistency (see guidance). package-lock references a public npm registry mirror (npmmirror), which is typical of some dev environments but worth awareness.
Credentials
The skill does not declare or read any environment variables, credentials, or config paths beyond normal examples. There are no secrets requested and no excessive env/config access.
Persistence & Privilege
always:false and normal agent invocation are used. The skill does not request permanent platform presence or modify other skills or system-wide configuration in the files provided.
Assessment
This appears to be a straightforward example MCP server. Before installing: (1) review package.json and package-lock.json to confirm you trust the dependencies and their versions; run `npm audit` if possible; (2) note the small metadata inconsistency—SKILL.md contains an npm install hint while registry metadata said no install spec—confirm whether you will install from the bundled code or from an npm package name; (3) run the skill in an isolated/dev environment first (not production) and inspect network activity if you have concerns; (4) the skill does not request credentials, but if you later modify it to call external APIs, avoid embedding secrets in code or SKILL.md.
src/full-test.js:75
Shell command execution detected (child_process).
src/test.js:17
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

beginner-friendlyvk97aax187jfy7bxvj4mxg8wmpx833mn4demovk97aax187jfy7bxvj4mxg8wmpx833mn4hello-worldvk97aax187jfy7bxvj4mxg8wmpx833mn4latestvk97aax187jfy7bxvj4mxg8wmpx833mn4mcpvk97aax187jfy7bxvj4mxg8wmpx833mn4tool-servervk97aax187jfy7bxvj4mxg8wmpx833mn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binsnode

Comments