Interop Forge
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a disclosed monorepo integration helper that can make broad project changes and generate MCP/auth code, so users should review its plan and diffs before use.
Before installing, treat this as a repo-writing integration assistant: verify the source/version, review its plan and diffs, avoid committing secrets, and check generated MCP/auth code before running or deploying it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may substantially change a repository's structure, generated code, and configuration.
The skill is explicitly designed to write and modify important monorepo files. This is purpose-aligned, but it can affect builds, APIs, and app behavior.
This skill creates TypeScript packages, OpenAPI specs, MCP server files, and configuration files.
Review the execution plan and file diffs before accepting changes, and run builds/tests after each incremental change.
Generated MCP servers or SDKs could later run with access to user-provided service credentials.
Generated code may rely on cloud, database, and LLM service credentials. The artifact discloses this and says the skill does not directly read credential files.
`OPENROUTER_API_KEY` is optionally used in generated MCP server code ... `SUPABASE_URL`, `SUPABASE_ANON_KEY`, `GCP_PROJECT_ID`, and `GOOGLE_APPLICATION_CREDENTIALS` are referenced in generated inter-app SDK code and MCP server implementations
Use least-privilege credentials, keep secrets out of source control, and review generated credential-handling code before deployment.
If generated MCP tools are too broad or weakly authenticated, agents may gain more app access than intended.
MCP servers expose application capabilities to agents. This is core to the skill, but it creates an inter-agent/tool boundary that should be reviewed.
scaffold full MCP servers so each app can be orchestrated by AI agents
Review each generated MCP tool, authentication check, and allowed operation before enabling the server.
Users may have less clarity about the exact published version and source location of the skill.
The supplied registry metadata has limited provenance information and differs from the included claw.json, which declares version 1.0.0, a GitHub homepage, and node/npx/git requirements.
Version: 0.1.1; Source: unknown; Homepage: none
Verify the skill source and version before relying on it for significant repository changes.