ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MongoDB Atlas

v1.0.0

browse MongoDB Atlas Admin API specifications and execute operations (if credentials provided).

0· 1.8k·0 current·1 all-time
byDavid Wang@finishy1995
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents: the package includes a full Atlas OpenAPI spec and two Node scripts — one for browsing the spec and one for making API calls. Requiring `node` and Atlas service account credentials (ATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET) is appropriate for this functionality.
Instruction Scope
SKILL.md instructs the agent to run local Node scripts that only read the bundled OpenAPI spec and, when credentials are present, perform live HTTP calls to MongoDB Atlas. The runtime scripts are explicit about when they will modify resources and require interactive approval for POST/PUT/PATCH/DELETE. Note: atlas-call.mjs also reads/writes a local token cache and can use optional env vars (ATLAS_GROUP_ID, ATLAS_API_BASE_URL) not listed as required; these are reasonable but should be noted.
Install Mechanism
No install step or external downloads are used — this is instruction-plus-local-code only. All included files are present in the bundle (large OpenAPI JSON and two scripts). No remote installers, URL downloads, or archives are present.
Credentials
The two required env vars (ATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET) are appropriate for obtaining OAuth tokens via client-credentials flow. The scripts additionally accept optional ATLAS_GROUP_ID and ATLAS_API_BASE_URL (documented in the script) but these were not declared as required — this is low-risk but worth documenting. The skill does not request unrelated credentials.
Persistence & Privilege
The client caches the OAuth access token to disk under ~/.openclaw/.cache/mongodb-atlas/token.json to avoid repeated token requests; it does not persist client secrets. Writing a token cache to the user's home directory is reasonable for an API client but means authentication state persists on disk and should be considered by the user.
Assessment
This skill is coherent with its description: it bundles the Atlas OpenAPI spec and provides Node scripts to browse the spec and (if you provide ATLAS_CLIENT_ID and ATLAS_CLIENT_SECRET) make live API calls. Before installing or using it, consider: - The tool will perform network calls to your Atlas endpoint and will exchange your service-account credentials for an access token (expected for this purpose). The client secret is used only for the token request and is not stored by the skill. - A token cache (access_token and expiry) is written to ~/.openclaw/.cache/mongodb-atlas/token.json; if you share the machine, remove that file when finished or run clearCachedToken if needed. - State-changing HTTP methods (POST/PUT/PATCH/DELETE) require explicit approval in the script and SKILL.md recommends always using --dry-run first. Do not run with --yes in automation unless you intentionally want destructive actions. If you trust the source and will only use it as a read-only spec browser, you can omit setting the Atlas credentials. If you plan to run live calls, provide service-account credentials with least privilege (a service account scoped only to the projects/operations you intend to use).

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3gqwzgyhx3p4hgdvywbsmn80z578

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍃 Clawdis
Binsnode
EnvATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET

Comments