Skillv1.0.1

ClawScan security

Sombra — Reader Mode for AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 12:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (an MCP-backed reader-mode) matches the instructions, but the runtime instructions rely on npx to fetch and execute an npm package (sombra-mcp) and ask you to embed a bearer token into openclaw.json — both of which raise risk and warrant verification before installing.
Guidance: This skill appears to do what it claims (an MCP-backed reader library), but exercise caution before enabling it. The runtime setup uses npx to download and execute 'sombra-mcp' from the npm registry — review the package's source, publisher, and npm page before running it. Prefer installing a vetted release or running the server in an isolated environment/container. Do not paste long-lived high-privilege secrets directly into configs where other processes/users can read them; create a limited-scope token for Sombra that can be revoked, and store it securely (or use an OS-level secret manager). If you can't verify the npm package or its authors, treat this as higher risk and avoid installation.

Review Dimensions

Purpose & Capability: okName and description (persistent reader mode served via MCP) line up with the instructions: the skill tells you to run an MCP server (sombra-mcp) via npx and to supply a Sombra PAT. Requiring 'npx' is coherent with the approach of launching an npm-hosted MCP server.
Instruction Scope: concernSKILL.md instructs you to add an MCP server command to openclaw.json that includes the token inline (npx -y sombra-mcp --token <PAT>). That means the agent/user will execute a remote package at runtime and place a secret into a config file. The instructions do not ask the agent to read unrelated files, but they do direct runtime execution of external code and persistent storage of credentials — both higher-scope actions than simple read/search functionality.
Install Mechanism: concernThere is no static install spec, but the runtime invocation uses npx to fetch and run 'sombra-mcp' from the npm registry. npx dynamically downloads and executes code from a third-party registry (potentially arbitrary), which is higher risk than using a vetted packaged binary or a documented release URL. The SKILL.md also passes '-y' to make this non-interactive, increasing the chance code runs without manual review.
Credentials: okThe skill does not request unrelated environment variables or credentials in the registry metadata. It legitimately requires a Sombra personal access token for the service. Note: the instructions recommend embedding the token in openclaw.json as a command arg, which stores a secret in your local config — consider scope/minimum permissions and secure storage.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent/global presence. It does direct adding an MCP server entry into openclaw.json (a normal configuration change for MCP connectors). This is expected behaviour, not an elevated privilege by itself.