Universal Command Pattern
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent documentation for a Supernal command framework, with expected notes around installing an external npm package and exposing commands through API/MCP surfaces.
Before installing, confirm that @supernal/universal-command is the intended package and pin a trusted version. When using it, be careful about which commands you expose through API or MCP, especially commands that create, delete, publish, or modify important data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package brings third-party code into the project, so the package version and publisher matter.
The skill tells users to install an external npm package without pinning a version. This is expected for a package-usage skill, but users should verify package provenance and version before relying on it.
npm install @supernal/universal-command
Verify the npm package, pin a trusted version, and review normal package-lock or dependency controls before using it in important projects.
A command registered through this pattern could become callable by an AI-agent-facing MCP interface, so sensitive or destructive commands need explicit safeguards.
The documented pattern can expose command handlers as MCP tools for AI agents. This is central to the skill's purpose, but users should make sure exposed commands have appropriate boundaries.
const mcpTool = userCreate.toMCP(); ... const server = createMCPServer(registry); ... await server.startMCP({ name: 'my-server', transport: 'stdio' });Expose only intended commands through MCP, add authentication or authorization where applicable, and require user review for commands that mutate data or perform high-impact actions.