Runtime Debug Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This debugging skill has a plausible purpose, but it asks to install persistent external tracing/MCP tooling, run a remote installer, and write credentials or tokens into project and agent configuration files.
Install only in a development/test project you are comfortable instrumenting. Inspect remote scripts before running them, pin MCP and SDK versions, avoid committing tokens or API keys, review every generated diff, understand what trace data is sent to Syncause, and remove the SDK/MCP configuration after debugging.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised remote script could alter the project or development environment before the user has reviewed the exact code being run.
The Node.js setup executes a downloaded shell script directly. The script body is not included in the reviewed artifacts, yet it can run commands and modify the user's project.
curl -sL https://raw.githubusercontent.com/Syncause/ts-agent-file/v1.6.0/install_probe.sh | bash
Do not pipe remote scripts directly to bash. Download and inspect the script first, pin to an immutable commit or verified checksum, and run it only with explicit user approval in a disposable branch/environment.
Future or compromised versions of the MCP package could run with the agent's local privileges and expose new tools or behavior without a fresh skill review.
The MCP server is configured to run from npm using the mutable @latest tag, with no reviewed package contents or lockfile in the skill artifacts.
"args": ["-y", "@syncause/debug-mcp@latest"]
Pin the MCP package to a reviewed version, prefer project-level configuration, and verify the package source before enabling it.
A token committed to source control or shared in build logs can be leaked or misused, and the user may not realize the skill is adding a credential to their project.
The Java guide instructs adding a PAT-like GitHub token into pom.xml and using it in an authenticated Maven repository URL.
<syncause.repo.token.p1>github_pat_11B3DNTTY0J3...</syncause.repo.token.p1> ... <url>https://syn-cause:${syncause.repo.token.p1}${syncause.repo.token.p2}@maven.pkg.github.com/Syncause/syncause-sdk</url>Avoid writing tokens into project files. Use environment variables, a private package registry configuration, or a public artifact that does not require embedded credentials.
Runtime traces may contain sensitive application details, and stale or incorrect traces could influence future debugging decisions.
The workflow stores and retrieves runtime traces for later analysis, but the artifacts do not define data filtering, retention, sanitization, or how old traces should be trusted.
collect runtime data with the SDK, then analyze with MCP tools ... search_debug_traces(projectId, query="<symptom>")
Use this only on non-sensitive development data unless retention and filtering are understood; verify trace origin/project IDs and clean up trace data when debugging is complete.
The external MCP server may remain available to future agent sessions or other projects after the user finishes debugging.
The MCP installation guide allows writing the debug MCP server into user-level agent configuration, which can persist beyond the immediate debugging task.
Edit `.mcp.json` (Project-level) or `~/.claude/settings.json` (User-level)
Prefer project-level MCP configuration, disable or remove the MCP server after the task, and avoid storing API keys in global agent settings unless necessary.
The application may behave differently or fail to start if the instrumentation is inserted incorrectly or left enabled in the wrong environment.
The skill modifies the application's startup path to run the tracer. This is aligned with runtime debugging but can break startup or unintentionally enable tracing if not reviewed.
Insert the following initialization code at the top of the identified entry file ... initialize(api_key="{apiKey}", app_name="{appName}", project_id="{projectId}")Review all diffs, apply changes on a branch, keep tracing out of production unless intended, and remove the SDK after debugging.