ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MCP协议配置

配置和管理 MCP 服务器,实现 AI 调用外部工具如视觉理解和网络搜索的能力。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 381 · 0 current installs · 0 all-time installs
by@godzff
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to configure/manage MCP servers (plausible), but the instructions require installing 'clawhub' (via npm) while the runtime uses 'mcporter' (npx mcporter) — these names don't match. The SKILL metadata declares no required env vars or config paths, yet the sample config expects MINIMAX_API_KEY, MINIMAX_MCP_BASE_PATH, and MINIMAX_API_HOST. The package/host names and the _meta.json ownerId differ from the registry metadata, and there's no homepage or source URL to verify origins.
!
Instruction Scope
Runtime instructions tell the user/agent to create ~/.config/mcporter and store API keys in a JSON file, then run npx mcporter commands that will execute external MCP packages. They also instruct running a remote installer (curl | sh) to install 'uvx'. The instructions reference environment variables and a config path not declared in the skill metadata and give the agent broad discretion to install and execute external binaries, which could perform arbitrary filesystem or network actions.
!
Install Mechanism
There is no formal install spec, but the SKILL.md directs installing software: 'npm install -g clawhub' and 'curl -LsSf https://astral.sh/uv/install.sh | sh'. The latter is a remote install script (curl|sh) from an external domain (astral.sh) — a high-risk pattern because it downloads and executes code from an unverified source. The install target ('clawhub') doesn't obviously match the runtime tool ('mcporter'/'mcporter.json'), increasing incoherence.
!
Credentials
Metadata lists no required environment variables, but the sample configuration embeds MINIMAX_API_KEY, MINIMAX_MCP_BASE_PATH, and MINIMAX_API_HOST. That means sensitive credentials are expected to be stored in the user's config directory despite not being declared. The skill also suggests MCP packages like filesystem-mcp and github-mcp, which, if used, would legitimately require broader permissions — this is not called out in the metadata.
Persistence & Privilege
The skill is instruction-only and does not set always:true or request autonomous elevation. However, following the instructions will create files in the user's home (~/.config/mcporter) and install global binaries (npm -g) or system-wide tools via a remote installer, producing persistent system changes outside the agent. The skill itself does not declare persistent privileges, but its recommended actions do create persistent artifacts.
What to consider before installing
This skill is inconsistent and requires caution. Before installing or running any commands: 1) Do not run curl ... | sh from unknown domains — it can install arbitrary code. 2) Verify the actual tool names and sources (what is 'mcporter', who publishes 'clawhub', and is 'astral.sh' trustworthy). 3) Treat MINIMAX_API_KEY as sensitive: don't paste production keys into an unverified config file; use least-privilege/test credentials or secrets manager. 4) Inspect the MCP packages (minimax-coding-plan-mcp, uvx, etc.) on their official registries/repos and review their code. 5) Prefer running these steps in an isolated environment (VM/container) or decline until the author/source and package provenance are confirmed. 6) Ask the skill author for a homepage/source repo and a clear explanation for why 'clawhub' is installed but 'mcporter' is used. If you cannot verify origins and contents, avoid running the install commands or providing API keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b62zqxtajpgb414na86shg181qzgy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MCP Skill - Model Context Protocol 使用技能

概述

本技能用于配置和管理 MCP (Model Context Protocol) 服务器,让 AI 能够调用外部工具。

1. 安装 mcporter

npm install -g clawhub

确保 uvx 可用:

which uvx
# 如果没有:
curl -LsSf https://astral.sh/uv/install.sh | sh

2. 配置 MCP 服务器

2.1 创建配置文件

mkdir -p ~/.config/mcporter

2.2 MiniMax MCP 配置示例

{
  "mcpServers": {
    "MiniMax": {
      "type": "stdio",
      "command": "uvx",
      "args": ["minimax-coding-plan-mcp"],
      "env": {
        "MINIMAX_API_KEY": "你的API密钥",
        "MINIMAX_MCP_BASE_PATH": "/tmp/mcporter-output",
        "MINIMAX_API_HOST": "https://api.minimaxi.com"
      }
    }
  }
}

保存到 ~/.config/mcporter/mcporter.json

3. 验证配置

npx mcporter --config ~/.config/mcporter/mcporter.json list

成功会显示:

✔ Listed 1 server (1 healthy)

4. 调用工具

4.1 视觉理解

npx mcporter --config ~/.config/mcporter/mcporter.json call MiniMax.understand_image \
  "prompt: 描述图片内容" \
  "image_source: /path/to/image.jpg"

4.2 网络搜索

npx mcporter --config ~/.config/mcporter/mcporter.json call MiniMax.web_search \
  "query: 搜索内容"

5. 常用 MCP 服务器

MCP 包名功能
minimax-coding-plan-mcp视觉理解、网络搜索
linear-mcpLinear 项目管理
filesystem-mcp文件系统操作
github-mcpGitHub 操作

6. 常见问题

6.1 MCP 服务器离线

  • 检查 API Key 是否正确
  • 检查网络连接
  • 确认 MCP 包名正确

6.2 参数错误

查看可用参数:

npx mcporter list <服务器名> --schema

6.3 权限问题

  • 确保目录存在
  • 确保有写入权限

最后更新: 2026-02-24

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…