ClawHub
Back to skill
v1.1.0

Beach Safety

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:07 AM.

Analysis

Review recommended: the beach lookup purpose is coherent, but the setup points mcporter at a hard-coded Python server path outside the managed skill tree.

GuidanceThe beach-safety functionality appears aligned with its description, and the visible code does not show exfiltration or destructive behavior. Before installing, verify the exact Python server file you configure in mcporter, avoid using the hard-coded author-specific path as-is, and understand that beach/location queries plus any optional OpenUV key may be sent to external services.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
The MCP server code lives in `projects/beach-safety-mcp/` (outside the skills tree — safe from clawhub reinstalls). ... "args": ["/Users/evanfoglia/.openclaw/workspace/projects/beach-safety-mcp/src/server.py"]

The recommended runtime path is a hard-coded local Python file outside the managed skill package, so the code mcporter runs may not be the reviewed packaged `src/server.py`.

User impactInstalling as written could leave your agent running a local MCP server from a path that ClawHub does not manage or update.
RecommendationOnly configure mcporter to run a local server file you created from reviewed source, prefer a managed/relative install path, and remove the mcporter entry when no longer needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
src/server.py
return provided_key or os.environ.get("OPENUV_API_KEY", "")

The server can read an OpenUV API key from the environment even though the registry metadata lists no required environment variables.

User impactIf you set OPENUV_API_KEY, the skill may use that credential for UV lookups.
RecommendationUse a limited OpenUV key if needed and avoid placing unrelated secrets in the server environment.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
src/server.py
await client.get("https://nominatim.openstreetmap.org/search", params={"q": q, "format": "json", "limit": 3, "addressdetails": 1,}, headers={"User-Agent": "BeachSafetyMCP/1.0"})

The skill sends the user-provided beach search query to external geocoding services as part of its normal lookup flow.

User impactBeach names or locations you ask about may be shared with third-party geocoding and weather providers.
RecommendationAvoid entering private home addresses or sensitive location details unless you are comfortable sharing them with those providers.