Salai MCP (Beta)
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for grocery search and price comparison, but it uses a Salai API key and can change the user’s Salai cart.
Install only if you trust the Salai remote MCP service and are comfortable giving it an API key for your Salai account. Ask the agent to confirm before changing or deleting cart items, and keep the API key secret.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may add, update, remove, or delete items in the user’s Salai grocery cart if invoked for cart workflows.
The skill exposes tools that can modify or delete the user's Salai cart. This is aligned with the stated cart-management purpose, but users should understand that it can change account state.
- Cart management: - `get_cart` - `get_my_cart` - `update_cart_items` - `add_cart_item` - `remove_cart_item` - `delete_cart`
Confirm with the user before performing cart mutations, especially removing items or deleting a cart.
Anyone or any agent process with this key could act through the Salai MCP service within the key’s allowed scope.
The skill requires a user API key to access Salai's remote MCP service. This is expected for the integration and is disclosed as a secret credential.
primaryEnv: SALAI_API_KEY ... Auth: send a user API key from Salai Profile using either: `Authorization: Bearer <SALAI_API_KEY>` ... `X-API-Key: <SALAI_API_KEY>`
Store the API key only in the intended secret environment variable, do not paste it into chat, and revoke or rotate it if exposed.
Users have limited registry-provided provenance information for verifying the publisher or implementation behind the remote endpoint.
The registry metadata does not provide a source repository or homepage, while the skill asks users to connect to a remote service. This is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Verify the Salai domain, beta enrollment process, and API-key source before enabling the skill or entering credentials.