Claude Code Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for MCP orchestration, but it can launch configured tool-server commands and forwards all environment variables to them, so it needs careful review before use.
Install only if you are comfortable reviewing and controlling the MCP configuration. Pin and trust every MCP server package, restrict filesystem paths, use least-privilege tokens, avoid forwarding broad environment variables, and require confirmation before any tool performs writes, posts, deletions, or account changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured MCP server could be asked to read files, change repositories, post to services, or perform other actions depending on the server's tools and credentials.
Caller-supplied MCP requests are passed directly to a connected server. The artifacts do not show an allowlist, confirmation step, or separation between low-risk reads and high-impact tool actions.
export async function executeMcpAction(
clientId: string,
request: McpRequestMessage,
) { ... return await executeRequest(client.client, request); }Only connect trusted MCP servers, restrict which tools can be called, and require user confirmation for file writes, account changes, public posts, or other irreversible actions.
If the MCP configuration is unsafe or modified, the skill can start arbitrary local commands with the user's privileges.
The configured command and arguments are executed as a subprocess to create an MCP transport. The code does not restrict commands to known-safe binaries or server packages.
const transport = new StdioClientTransport({
command: config.command,
args: config.args,
env: { ... }
});Use a fixed allowlist of MCP server commands, store the config in a protected location, and review any new or changed server entry before initialization.
A compromised or untrusted MCP server could access secrets that were not intended for that server.
Every configured MCP server receives the full process environment plus any server-specific env values. That may include unrelated API keys, cloud credentials, or tokens.
env: {
...Object.fromEntries(
Object.entries(process.env)
.filter(([_, v]) => v !== undefined)
.map(([k, v]) => [k, v as string]),
),
...(config.env || {}),
}Forward only an explicit per-server environment allowlist, use least-privilege tokens, and declare any required credentials in the skill metadata.
The installed behavior can depend on whatever package version npm resolves at runtime, which is risky for tools that receive local access and credentials.
The documented MCP setup runs npm packages through npx -y without a pinned version. Those packages are not part of the reviewed artifact set.
args: ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
Pin exact MCP server package versions, verify their source, and avoid auto-accepting package execution for high-privilege tool servers.
Synced messages may be reused as future context; untrusted or stale remote content could influence later agent behavior.
Remote session messages are merged into local sessions. This is purpose-aligned for sync, but the artifacts do not mark remote message origin or trust level.
remoteSession.messages.forEach((m) => {
if (!localMessageIds.has(m.id)) {
localSession.messages.push(m);
}
});Sync only with trusted sources, preserve origin metadata where possible, and give users a way to review or clear persisted sessions.