Assimilate MCP
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: assimilate-mcp Version: 1.0.0 The skill bundle is classified as suspicious due to its reliance on an external npm package (`assimilate-mcp`) executed via `npx`, which introduces a supply chain risk. The underlying tool, as described in `SKILL.md`, grants the AI agent broad filesystem access (e.g., `list_directory`, `find_media`, `import_media`) and network access to a local REST API, potentially handling an authorization key. While these capabilities are necessary for the stated purpose of controlling media software, they represent significant high-risk behaviors that could be exploited through prompt injection or if the external package itself were compromised, without clear evidence of intentional malice within the skill bundle itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could change active Assimilate projects, import media, alter grades, or start renders.
The skill intentionally exposes broad controls, including project mutation, color changes, rendering, outputs, and media directory discovery.
Complete 1:1 integration ... with 88 tools across 14 categories ... `create_project` ... `set_grade` ... `start_render` ... `list_directory` `find_media`
Use this only when you want AI-assisted control of Assimilate, and require explicit confirmation before create, set, import, output, or render actions.
You must trust the npm package and its maintainers, because this review cannot verify the code that will actually run.
The configured MCP server runs an npm package through npx, while the supplied review artifacts include no package source code.
"command": "npx", "args": ["-y", "assimilate-mcp"]
Inspect the npm/GitHub package, pin a trusted version where possible, and install only from the expected publisher.
Anyone or anything with the configured key and network access to the API may be able to control the target Assimilate instance.
The skill may use an Assimilate authorization key to control the REST API, which is expected for this integration but grants delegated control.
`--key` | `ASSIMILATE_KEY` | — | Authorization key |
Keep the key private, avoid placing it in shared configs, and use the narrowest access supported by Assimilate.
A misconfigured host, port, or tunnel could expose the Assimilate control API beyond the intended local machine.
The skill communicates with a local or tunneled HTTP API, so the network boundary determines who can reach the controlled Assimilate service.
Live FX HTTP server enabled ... default port 8080 ... For remote machines, use an SSH tunnel
Keep the API bound to localhost when possible, use SSH tunnels only to trusted hosts, and protect the port with firewalling and authentication.