ClawHub

Pndr

v1.0.20260202

Personal productivity app with Ideas/Tasks, Journal, Habits, Package tracking, Lists, and more via MCP

1· 2.9k·8 current·9 all-time
byDanny Gershman@dgershman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a Pndr MCP integration and only requires the mcporter CLI and Pndr OAuth credentials to connect to pndr.io — these are proportionate and expected for the stated functionality.
Instruction Scope
The SKILL.md directs users to create an OAuth client, obtain an access token, and add it to MCP client config files (e.g., config/mcporter.json, claude_desktop_config.json). This is expected for an integration, but the skill references editing local config files even though no required config paths were declared in the registry metadata (minor inconsistency). The instructions do not ask the agent to read unrelated system files or exfiltrate other data.
Install Mechanism
There is no install spec and no code files; this is an instruction-only skill that expects an existing mcporter binary. That is the lowest-risk install posture.
Credentials
No environment variables are declared, which matches the manifest. The integration does require OAuth client_id/client_secret and an access token (sensitive credentials) — that is appropriate for an API integration but users should be aware they must supply and store those tokens in local config files.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent elevation or to modify other skills' configs. Asking users to add tokens to their own MCP client config is normal for this type of connector.
Assessment
This skill is an instruction-only connector to pndr.io and appears consistent with its stated purpose. Before installing: 1) Verify you trust https://pndr.io and confirm the OAuth client you create is limited in scope; 2) Install mcporter from a known source and confirm its integrity; 3) When asked to provide client_id/client_secret or an access token, only paste values you created for this integration (do not reuse broad credentials); 4) Store tokens in local config files you control and revoke them if you stop using the integration; 5) If OpenClaw offers an automatic setup that asks you to paste credentials, double-check the prompt originates from the OpenClaw UI. If you want extra caution, create a dedicated OAuth client with minimal permissions and short-lived tokens.

Like a lobster shell, security has layers — review code before you run it.

habitsvk976achtezenn4h3hgmt41rq8h80caywjournalvk976achtezenn4h3hgmt41rq8h80caywlatestvk976achtezenn4h3hgmt41rq8h80caywmcpvk976achtezenn4h3hgmt41rq8h80caywproductivityvk976achtezenn4h3hgmt41rq8h80caywtasksvk976achtezenn4h3hgmt41rq8h80cayw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsmcporter

Comments