ClawHub

mcp-sanctions-check

v1.0.0

Check names against the OFAC SDN (Specially Designated Nationals) sanctions list via MCP. Downloads and caches official SDN CSV, auto-refreshes every 24h. Ca...

0· 45·0 current·0 all-time
by@haveblue997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, README, package.json and the included source all describe and implement the same functionality: download OFAC SDN CSV, cache it, token-match names, optional country filter, and expose an MCP tool. Required binary (npx) is reasonable given the suggested MCP config using npx.
Instruction Scope
Runtime instructions only direct the agent to run the MCP server via npx and call the check_sanctions tool. The SKILL.md does not instruct reading unrelated files or accessing credentials. The code reads/writes the cache file in the OS temp directory and performs HTTPS GETs to the OFAC URL only.
Install Mechanism
There is no install spec in the skill bundle; SKILL.md recommends launching via npx (npx -y @vbotholemu/mcp-sanctions-check). Using npx will fetch the package from the npm registry at runtime — this is expected but worth noting because it downloads and runs remote code. The SDN download URL is the official treasury.gov CSV (no suspicious endpoints).
Credentials
The skill declares no required env vars, which matches its behavior. The code does accept an override via process.env.SDN_URL (not documented in SKILL.md) — a non-sensitive override but it is an undeclared environment option. No credentials or secret-env-vars are requested.
Persistence & Privilege
The skill writes a cache file to the system temp directory only (CACHE_FILE in os.tmpdir) and refreshes every 24h. It does not request permanent agent-wide privileges or set always:true. It uses the MCP stdio transport (local IPC) — no persistence or elevated privileges observed.
Assessment
This skill appears coherent and implements an OFAC SDN name-checker that downloads the official CSV and caches it locally. Before installing or running it: 1) confirm the npm package name and publisher you will fetch with npx (SKILL.md uses @vbotholemu/mcp-sanctions-check, README references @velocibot — verify which is correct on npm and who the publisher is); 2) be aware npx will download and execute code from the npm registry at runtime — run in an isolated environment if you cannot verify the package; 3) the tool caches data in the OS temp directory (ofac-sdn-cache.csv) and refreshes every 24h; if you need to override the source CSV you can set SDN_URL (undocumented in SKILL.md); and 4) review the package on the npm registry (publisher, versions, recent changes) or inspect the included source before trusting it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ckvb8vkdhmmxbsaz9q2h1eh8419wa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsnpx

Comments