Decompose Mcp
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s artifacts are coherent for local text decomposition, with disclosed optional URL fetching and a standard external package install to review before use.
This appears reasonable for a local document-classification MCP skill. Before installing, verify the decompose-mcp package/source and grant network use only if you need URL decomposition; otherwise prefer the local text tool.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the published Python package that provides the MCP server.
The skill is installed from an external Python package rather than from code included in the submitted artifacts; this is a normal setup pattern but users should verify the package and version they install.
pip install decompose-mcp
Install from the expected PyPI/source location, consider pinning the version, and review the referenced source if your environment is sensitive.
If URL decomposition is used, the tool will make outbound HTTP requests to the requested sites.
The skill exposes a network-fetching tool for user-specified URLs. This is disclosed and purpose-aligned, but it is still a capability users should notice.
The `decompose_url` tool fetches the target URL, which necessarily involves network I/O to the specified host.
Use decompose_text for fully local processing, and only use decompose_url for URLs you intend the tool to contact.