Assimilate MCP
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a disclosed Assimilate control bridge, but it gives the agent broad control over production software and runs an external npm package that was not included for review.
Install this only if you trust the assimilate-mcp npm package and want an AI agent to control Assimilate Live FX/SCRATCH. Keep the HTTP server local or securely tunneled, protect any authorization key, and ask the agent to confirm before modifying projects, importing media, changing grades, creating outputs, or starting renders.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could change active Assimilate projects, import media, alter grades, or start renders.
The skill intentionally exposes broad controls, including project mutation, color changes, rendering, outputs, and media directory discovery.
Complete 1:1 integration ... with 88 tools across 14 categories ... `create_project` ... `set_grade` ... `start_render` ... `list_directory` `find_media`
Use this only when you want AI-assisted control of Assimilate, and require explicit confirmation before create, set, import, output, or render actions.
You must trust the npm package and its maintainers, because this review cannot verify the code that will actually run.
The configured MCP server runs an npm package through npx, while the supplied review artifacts include no package source code.
"command": "npx", "args": ["-y", "assimilate-mcp"]
Inspect the npm/GitHub package, pin a trusted version where possible, and install only from the expected publisher.
Anyone or anything with the configured key and network access to the API may be able to control the target Assimilate instance.
The skill may use an Assimilate authorization key to control the REST API, which is expected for this integration but grants delegated control.
`--key` | `ASSIMILATE_KEY` | — | Authorization key |
Keep the key private, avoid placing it in shared configs, and use the narrowest access supported by Assimilate.
A misconfigured host, port, or tunnel could expose the Assimilate control API beyond the intended local machine.
The skill communicates with a local or tunneled HTTP API, so the network boundary determines who can reach the controlled Assimilate service.
Live FX HTTP server enabled ... default port 8080 ... For remote machines, use an SSH tunnel
Keep the API bound to localhost when possible, use SSH tunnels only to trusted hosts, and protect the port with firewalling and authentication.