Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
KVcore MCP CLI
v0.1.0Perform KVcore CRM actions via MCP/CLI, including managing contacts, tags, notes, calls, emails, texts, campaigns, and raw API access with optional Twilio ca...
⭐ 0· 676·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a CLI/‘MCP server’ and lists concrete binaries/commands (npm run dev:kvcore-mcp, node packages/kvcore-cli/dist/index.js) plus required env vars (KVCORE_API_TOKEN, optional Twilio creds). However, the registry metadata declares no required env vars and the skill bundle contains no code files. A user would reasonably expect either the CLI code or an install spec; their absence is inconsistent with the stated purpose.
Instruction Scope
Instructions tell the agent to run npm scripts and node executables under packages/..., and to use KVCORE_API_TOKEN and optional Twilio credentials. Those commands reference local project files that are not included in the skill. The instructions also permit raw endpoint access (kvcore_request) and fallback Twilio calls — behavior that will transmit data to external services. The SKILL.md asks the agent to access environment variables not declared in the registry metadata, which is a scope/information mismatch.
Install Mechanism
There is no install spec (instruction-only), which minimizes direct install risk. However, the runtime instructions require running npm build/dev commands implying a local repository or installed package; because no code or install steps are provided, an agent running those commands could either fail or execute arbitrary local npm scripts if present. The missing code/install details are a practical and transparency concern.
Credentials
Requiring KVCORE_API_TOKEN and optional Twilio credentials is proportionate to the CRM and outbound-call functionality described. That said, the registry metadata lists no required env vars while SKILL.md does — an inconsistency. Also note that Twilio auth tokens and the KVCORE API token are sensitive: if supplied they enable external API operations (sending texts/emails/placing calls).
Persistence & Privilege
The skill does not request persistent installation or always:true. It is user-invocable and may be invoked autonomously by the agent (platform default), which is expected. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill's instructions expect a local npm-based CLI and list required environment variables (KVCORE_API_TOKEN, optional Twilio creds), but the published bundle contains no code or install instructions and the registry metadata doesn't declare those env vars. Before installing or providing credentials, ask the publisher for the source repository or a homepage, request clear install steps (or a vetted package), and inspect the npm scripts and code you would be running. Do not provide KVCORE_API_TOKEN or Twilio credentials until you can verify the code and confirm where network requests will be sent. If you must test, run in an isolated environment (ephemeral VM/container) and limit credentials (use test accounts or tokens with minimal scope).Like a lobster shell, security has layers — review code before you run it.
latestvk97bkcxmmhyckpjjg9fdjxabah814k7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.