Ultrahuman (OpenClaw)

This skill appears to do what it says (call an Ultrahuman MCP server via mcporter and summarize the JSON), but there are important caveats to review before installing/using it: - Metadata mismatch: the registry entry declares no required env vars or binaries, but the SKILL.md and script require ULTRAHUMAN_AUTH_TOKEN, ULTRAHUMAN_USER_EMAIL and mcporter (and building the Ultrahuman-MCP repo requires bun/node). Treat the metadata as incomplete and verify requirements manually. - Inspect the MCP code: the SKILL.md tells you to build and run a third‑party repo (https://github.com/Monasterolo21/Ultrahuman-MCP). Building and running that code means executing unvetted Node/Bun code on your machine; review that repository for unexpected network calls, telemetry, or data exfiltration before running it. - Credentials handling: provide only the minimum-scoped token you can. The script will also attempt to read ~/.openclaw/openclaw.json for env.vars — check that file for any other secrets you don’t want accessed and remove or isolate them if necessary. - mcporter and config paths: mcporter executes the MCP server process. Ensure your mcporter config points to the intended local binary (absolute path) and not to an attacker-controlled executable. Prefer explicit --mcporter-config and absolute paths when running the script. - If you need assurance: ask the publisher to update registry metadata to declare required env vars and binaries, and/or provide a signed release of the MCP server. If you don’t trust building external code, do not run the MCP process on sensitive systems. Given these mismatches and the fact the skill executes a separate MCP process you must supply/build, treat the package as suspicious until you verify the MCP repository and your local config/credentials.