Hemlane MCP
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: hemlane Version: 0.2.0 The hemlane skill bundle is a specialized automation tool designed to interact with the Hemlane property management platform using GraphQL operations derived from HAR captures. It features a sophisticated authentication mechanism in `scripts/capture_hemlane_auth_via_cdp.py` that uses the Chrome DevTools Protocol (CDP) to extract session headers from a running Brave browser. While this capability is high-risk, the bundle includes a proactive security measure in `scripts/security_guard.py` and `mcp/server.py` that restricts 'write' operations (mutations) to a specific authorized user identified by a SHA256 hash of their Discord ID. The code is well-documented, follows its stated purpose of property management automation, and lacks indicators of intentional malice or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with an authenticated Brave session, the agent can obtain reusable Hemlane session headers that may allow reading or acting in the user's Hemlane account.
The MCP tool exposes live browser-session auth capture and lets the caller choose an output file for captured headers. This is high-impact credential/session access and is not reflected by the registry metadata's lack of declared credentials.
@mcp.tool()
def capture_auth(endpoint_kind: str = "get-properties", out_file: str = None) -> dict:
"""Capture Hemlane auth headers from browser CDP session.""" ... args.extend(["--out-file", out_file])Declare the credential/session requirement, require explicit user approval before capture, restrict and protect the output path, and delete captured auth files after use.
In a shared OpenClaw/Discord deployment, Hemlane write authority may depend on a preselected identity rather than the installing user's explicit control.
Write authorization is tied to one hard-coded Discord sender hash instead of a local, installer-controlled allowlist or per-action approval mechanism.
AUTHORIZED_DISCORD_SENDER_SHA256 = "d40800cb299a0988be92536d6ac5a7e99659ec6d9fef7b7779a8fdeb980f8da1" ... if caller and __import__("hashlib").sha256(caller.encode()).hexdigest() == AUTHORIZED_DISCORD_SENDER_SHA256:Replace the hard-coded identity with local configuration controlled by the installer, and require per-action approval for Hemlane mutations.
An authorized invocation could immediately send messages or post comments in Hemlane using ambient runtime credentials, potentially affecting tenants, owners, or maintenance records.
The tool performs an external account mutation by posting tenant messages; the advertised auth_file parameter is not passed to the script, so credential scoping is unclear. Similar write tools exist for referrals and work-order/maintenance comments.
def send_tenant_reply(tenant_group_id: str, message: str, auth_file: str) -> dict: ... return run_script("send_hemlane_tenant_reply.py", ["--tenant-group-id", tenant_group_id, "--body", message])Make write tools dry-run by default, pass and validate the selected auth file, show the target account/record/content before sending, and require explicit confirmation for every mutation.
Sensitive tenant and payment-status information could be exposed to users of the skill or accidentally reused in future generated messages.
The skill persists HAR-derived tenant/payment details in reference material that agents may read and reuse across tasks.
"body": "Good morning Tiffany, as discussed, it seems your $890 December payment bounced and was reversed by Hemlane. You may see a new request for it to be reprocessed in your Financials tab. Thanks!"
Sanitize reference files by replacing real names, IDs, emails, phone numbers, and payment details with synthetic examples before publishing or sharing the skill.
Installing and enabling the MCP server means the agent can run the skill's bundled Python scripts for Hemlane operations.
The MCP server runs local Python helper scripts. This is central to the stated purpose, but users should understand that enabling the server permits local code execution for these workflows.
cmd = ["python3", str(script_path)] + (args or []) result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
Review the bundled scripts, run them in a limited user environment, and avoid granting broader shell access than needed.
A user may not realize from registry metadata that enabling the skill involves running a local Python MCP server.
The skill documents an MCP server setup even though the registry says there is no install spec. The behavior is disclosed, but dependency/setup requirements are under-declared.
"mcpServers": { "hemlane": { "command": "python3", "args": ["/home/umbrel/.openclaw/workspace/skills/hemlane/mcp/server.py"], "transport": "stdio" } }Declare the MCP server, Python dependency, and any required package dependencies in metadata or install documentation.