Doctor of Credit

AdvisoryAudited by Static analysis on May 13, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing or using the skill may download and run code from npm to provide the MCP tools.

Why it was flagged

The skill relies on running an external npm package through npx, but the package implementation is not included in the submitted artifacts and no pinned package version is shown.

Skill content

mcpServers:\n      doc-mcp:\n        command: npx\n        args: ["-y", "@guava-tech/doc-mcp"]

Recommendation

Only install if you trust the publisher/package source, and prefer a pinned or reviewed package version where possible.