Back to skill
Skillv1.0.5
ClawScan security
Atlas Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 3, 2026, 7:24 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions broadly match its stated purpose (interacting with Atlas Tracker) but contain coherence and supply-chain gaps and ask you to run and install unbundled code and credentials that are not declared in the registry metadata.
- Guidance
- This skill appears to do what it says (operate on Atlas Tracker maps), but there are several red flags you should address before installing or running anything: - Metadata mismatch: The registry lists no required env vars or install steps, yet SKILL.md requires you to run a local MCP server and set AT_BASE_URL, AUTH_HEADER, API_KEY, PORT. Ask the publisher to correct the registry metadata or include clear provenance for those components. - Unbundled code: The skill tells you to copy index.ts and openclaw.plugin.json into ~/.openclaw/extensions, but those files are not included. Do NOT copy or run plugin code from unknown sources. Obtain the MCP server and plugin only from an official RedForester/OpenClaw repository or the maintainer and review their code first. - Credential handling: AUTH_HEADER requires base64(username:md5(password)). Storing such derived credentials in systemd service files or .env files can expose them (service files and env files may be readable by other local processes or backups). Use least-privilege credentials (a dedicated API key for the local proxy), avoid reusing your Atlas Tracker password, and restrict file permissions to the minimum required. - Network controls: The MCP server should be bound to localhost only and firewall rules applied so it cannot be reached remotely. Verify the MCP server does not accept external connections by default. - Review code: Before enabling the plugin or MCP service, inspect their source for data exfiltration (HTTP requests to unknown hosts, logging of credentials, telemetry). If you cannot review the code, do not install it. - Ask for clarification: Request that the skill package include or reference exact sources (GitHub repo and release tags) for the MCP server and plugin and update registry fields to list required env vars and files. Given these issues (inconsistencies in declared requirements, required persistent local components from external sources, and handling of credentials), proceed only after verifying sources and reviewing the code. If you want, provide the MCP server and plugin repository links and I can re-evaluate the supply-chain and code-level risks.
Review Dimensions
- Purpose & Capability
- noteThe skill is for manipulating Atlas Tracker maps and the SKILL.md's workflows (read/create/update nodes, upload files, comments, typed nodes) match that purpose. However, the registry metadata claims 'no required env vars' and 'no install', while the SKILL.md instructs installing a local MCP proxy and setting several env vars (AT_BASE_URL, AUTH_HEADER, API_KEY, PORT) and copying plugin files into ~/.openclaw/extensions. That mismatch is unexpected and reduces confidence.
- Instruction Scope
- concernThe instructions require you to run a local Node.js MCP server, set auth-related environment variables (including an AUTH_HEADER derived from username/md5(password)), and copy an OpenClaw plugin (index.ts/openclaw.plugin.json) into your extensions directory. The skill's text also documents direct REST usage patterns that show how to construct Basic auth headers. These steps involve handling credentials and installing code not included with the skill; the SKILL.md reads and expects secrets and files that the package metadata did not declare. Reading/writing local service files and placing plugins into the agent's extension directory are beyond a simple instruction-only mapping skill and create supply-chain and credential-handling risk.
- Install Mechanism
- okThere is no install spec and no code files in the package; the skill is instruction-only. That reduces immediate supply-chain risk from the registry package itself. The instructions do tell the user to run and install external code (at-mcp server and an OpenClaw plugin) from outside sources, which is a user action rather than an automated install by the skill package.
- Credentials
- concernAlthough the skill itself declares no required env vars, the SKILL.md explicitly requires AT_BASE_URL, AUTH_HEADER, API_KEY, and PORT for the MCP server. Those credentials are plausibly needed to proxy to app.redforester.com, but the registry metadata omission is inconsistent and could hide credential requirements. AUTH_HEADER uses an MD5(password) scheme (documented in references), which is weak/odd and may cause accidental exposure of credentials if stored in systemd service files or .env without care.
- Persistence & Privilege
- concernThe runtime instructions tell the user to run a long-lived local service (systemd user service) and to copy a plugin into ~/.openclaw/extensions so OpenClaw will load it persistently. While the skill metadata does not set always:true, these steps create persistent code and agent-scope plugins on the user's machine. Because the required plugin and MCP server code are not included in the packaged skill, installing them from external sources increases the attack surface and persistence risk.