ClawHub

mcp-charter-planner

v1.0.0

Plan BVI sailing charters with real anchorages, weather-aware routing, provisioning lists, and local knowledge. Returns complete itineraries tailored by expe...

0· 37·0 current·0 all-time
by@haveblue997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and shipped source implement a sailing charter planner (anchorage DB, weather season logic, itinerary generator). Required binary (npx) is plausible for the provided MCP packaging approach.
Instruction Scope
SKILL.md instructs the agent to start an MCP server with npx and documents the plan_charter parameters. The instructions do not ask the agent to read unrelated files, environment variables, or to exfiltrate data. They do, however, rely on installing and running remote npm code at runtime (npx).
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md directs use of npx to fetch @vbotholemu/mcp-charter-planner. Installing via npx executes code fetched from npm (moderate risk). The package sources are included in the skill bundle for inspection, which reduces uncertainty, but runtime behavior will still depend on whatever is published to npm under that package name.
Credentials
No environment variables, credentials, or filesystem paths are requested. The code does not reference secrets or unrelated system config.
Persistence & Privilege
Skill is not always-enabled and allows normal agent invocation. It does not request elevated platform persistence or modify other skills' configs.
Assessment
This skill appears to be what it says (BVI charter planning) and ships readable source, but before installing or running it with npx: 1) verify the npm package name and publisher (SKILL.md uses @vbotholemu while README mentions @velocibot — confirm which package you'll fetch). 2) Inspect the published npm package contents (or prefer installing from the bundled source) because npx will fetch and run remote code. 3) If you want to be cautious, run the tool in a sandboxed environment or vendor the package locally and pin a specific trusted version. 4) Check the package's dependency list and recently published versions on the npm registry for unexpected changes. If you can provide the npm package URL or publisher identity, I can re-check for mismatches or red flags and raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aymsm0g3xaj8nv0emsxx9ed840g7g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnpx

Comments