KVcore MCP CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s CRM purpose is coherent, but it asks an agent to use high-impact KVcore and Twilio account powers, including raw API access and outbound messages/calls, without clear guardrails or declared credentials.
Review this carefully before installing. Use a least-privilege KVcore token, avoid enabling Twilio unless needed, require manual approval before any CRM write or outbound message/call, and do not use raw API access unless you understand the exact endpoint and impact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change CRM data or send emails/texts/calls to leads or customers without enough review.
These tools can modify CRM records, send customer communications, refresh campaigns, and call arbitrary KVcore endpoints, but the artifact does not document confirmation requirements, endpoint allowlists, or other safeguards.
`kvcore_contact_create`, `kvcore_contact_update` ... `kvcore_email_send`, `kvcore_text_send` ... `kvcore_campaigns_refresh` ... `kvcore_request` (raw endpoint access)
Require explicit user confirmation for every write, send, call, campaign, or raw API action; restrict raw endpoint access to an allowlist; and provide dry-run or preview behavior where possible.
Installing or using the skill may require granting access to a CRM account and Twilio calling capability that were not visible in the registry requirements.
The skill requires CRM account credentials and optionally phone-provider credentials. Registry metadata declares no required environment variables or primary credential, so this high-impact account authority is under-disclosed.
Required: - `KVCORE_API_TOKEN` Optional: - ... `TWILIO_ACCOUNT_SID`, `TWILIO_AUTH_TOKEN`, `TWILIO_FROM_NUMBER`
Declare KVCORE_API_TOKEN and optional Twilio credentials in metadata, document the minimum required scopes, and use least-privilege credentials dedicated to this integration.
The code that would process credentials and perform CRM/Twilio actions is not present for review, leaving its provenance and behavior unclear.
The skill tells the user to run npm and node commands for an MCP server and CLI, but the supplied artifact set contains no code files or install spec for reviewing those scripts.
Start with: ```bash npm run dev:kvcore-mcp ``` ... `node packages/kvcore-cli/dist/index.js ...`
Publish the referenced MCP/CLI implementation, package metadata, and lockfiles with the skill, or clearly document the trusted source users must install from before running these commands.