Atlas Tracker
PassAudited by ClawScan on May 10, 2026.
Overview
Atlas Tracker is a purpose-aligned integration, but safe use depends on trusting an external MCP server/plugin that can use your Atlas credentials and modify your maps.
Install this only if you trust the external Atlas Tracker MCP server and plugin source. Verify the files before running them, protect the AUTH_HEADER and API key, and review write/delete/upload actions before allowing the agent to perform them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can change Atlas Tracker content, manage comments, and upload selected local files to nodes.
The skill clearly discloses tools that can read and mutate Atlas Tracker data, upload files, and manage comments. This is aligned with the stated purpose, but it is still meaningful account/data modification authority.
Requires at_read_branch, at_create_branch, at_update_branch, at_get_node_types, at_read_attachments, at_create_link_node, at_upload_file, at_get_comments, at_add_comment, at_delete_comment, at_update_comment tools
Confirm the target map/node URL, update/delete arrays, and file path before allowing write, delete, or upload operations.
Anyone with access to these config values may be able to act through the Atlas Tracker integration with your account’s permissions.
The integration requires an Atlas Tracker authentication header and local API key. This is expected for the provider integration, but those values are credential-equivalent.
AUTH_HEADER=Basic <base64(username:md5(password))> API_KEY=<your-local-api-key>
Store the auth header and API key securely, avoid committing them to files under version control, and use the least-privileged Atlas account practical.
The external server/plugin will handle authenticated Atlas Tracker requests, so compromised or untrusted external code could misuse access.
The reviewed skill is instruction-only, while the actual MCP server and plugin files are obtained separately and built/installed by the user. Those external components are not included in the reviewed artifacts.
Once you have the server files: cd at-mcp/ yarn install yarn build ... cp index.ts ~/.openclaw/extensions/atlas-tracker/
Obtain the MCP server and plugin only from official RedForester/Atlas Tracker channels, inspect the files before installation, and consider pinning dependencies.
The local Atlas Tracker proxy may remain active in the background under your user account.
The skill recommends a persistent local user service. This is disclosed and user-directed, not hidden, but it means the MCP server continues running after setup.
# Or run as a systemd user service (recommended) cp at-mcp.service ~/.config/systemd/user/ systemctl --user daemon-reload systemctl --user enable --now at-mcp
Only enable the service if you need it always available, and know how to stop or disable it when not in use.