Mcp Marketplace
v3.0.0Install, configure, and manage MCP servers. Search 50+ verified servers plus npm and Smithery registries. Auto-generate configs for OpenClaw, Claude Desktop,...
⭐ 1· 96·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (MCP Marketplace: discover, install, manage MCP servers) match the included assets and scripts (search_registries, build_config, install_server, health_check, manage_servers, etc.). The catalog entries and templates align with the stated functionality.
Instruction Scope
Runtime instructions direct the agent to run the included Python scripts and to merge/write entries into client config files (e.g., .mcp.json, Claude Desktop config, Cursor config). They also instruct running install commands discovered via the catalog (npx/uvx/npm/pip/docker). Reading/writing those config paths and prompting users to set env vars is consistent with the purpose, but the skill will access user config files and may create state under the user's home directory (e.g., ~/.openclaw/mcp-marketplace).
Install Mechanism
There is no external install spec (instruction-only style) and the included scripts are local. The installer flows rely on package managers (npx, uvx, npm, pip, docker) to fetch MCP server packages — expected for this use case. No remote arbitrary binary download URLs were present in the reviewed files.
Credentials
The skill itself declares no required env vars or credentials and follows a pattern of using ${VAR} placeholders for server tokens. The catalog entries do list many service-specific env vars (GITHUB_TOKEN, SLACK_BOT_TOKEN, POSTGRES_CONNECTION_STRING, etc.), which is expected for integrating those services. The SKILL.md explicitly instructs not to paste tokens into chat and to set env vars locally — consistent and proportional.
Persistence & Privilege
The skill writes/reads local configuration and keeps installed-state under ~/.openclaw/mcp-marketplace and merges entries into client config files (project .mcp.json, Claude paths, Cursor config). It does not request always:true. Persisting state and editing client configs are within scope but are privileged actions — back up config files before proceeding.
Assessment
This skill appears to do what it says: discover, build config entries, and help install MCP servers. Important things to consider before installing or running it:
- The skill will run local Python scripts that read and write config files (project .mcp.json, Claude/Cursor config locations) and store install state under your home directory; back up any existing configs first.
- To actually install servers it will execute install commands (npx, uvx, pip, docker, etc.) which download and run third‑party packages. Only approve installs for packages you trust; unverified npm/Smithery packages carry the usual supply‑chain risks.
- The skill does not collect tokens in chat and uses ${VAR} placeholders, but it will require you to set sensitive env vars (GITHUB_TOKEN, SLACK_BOT_TOKEN, DB connection strings, etc.) locally. Never paste secrets into chat; use environment variables or a secrets manager.
- If you want extra assurance, inspect the unreviewed scripts referenced during install (notably install_server.py and secrets_helper.py) before running them, or run installs in an isolated environment/container.
- If anything in the scripts looks unexpected to you (network endpoints, telemetry, or unexpected writes outside the described config locations), stop and ask for clarification.Like a lobster shell, security has layers — review code before you run it.
installvk973fta3gcqt6w3qv3b2jd33dd83vvbclatestvk973fta3gcqt6w3qv3b2jd33dd83vvbcmarketplacevk973fta3gcqt6w3qv3b2jd33dd83vvbcmcpvk973fta3gcqt6w3qv3b2jd33dd83vvbcserversvk973fta3gcqt6w3qv3b2jd33dd83vvbc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.