Back to skill
Skillv1.0.0
ClawScan security
Mongo Db Client Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 4:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose of providing a Python-based MongoDB CLI client; nothing requests unrelated credentials or installs unexpected tooling.
- Guidance
- This skill appears to do exactly what it says: run MongoDB operations via a Python CLI. Before installing, verify which MongoDB instance the agent will talk to (MONGO_URI or config.json) and avoid pointing it at production data without review. Be cautious about granting any automated agent the ability to call operations that include 'confirm': true — those flags are the protection against accidental destructive actions (drop/delete). Running the provided setup script in an isolated environment is advisable (it creates a .venv and pip-installs pymongo). If you need higher assurance, inspect the full mongo_client.py (it’s included) and test against a non-production database.
Review Dimensions
- Purpose & Capability
- okName/description (MongoDB client) align with the provided files: a Python CLI (mongo_client.py), a setup script that installs pymongo, and docs for configuring MONGO_URI or config.json. Required binary (python3) and the documented env vars are appropriate for the stated purpose.
- Instruction Scope
- noteSKILL.md restricts actions to MongoDB operations via a JSON payload and documents connection resolution and destructive-operation safeguards (drop/delete require a 'confirm' flag). One minor note: the client searches for config.json in both the skill dir and workspace paths (Path.cwd() candidate), so it could pick up a config outside the skill directory if present — expected for convenience, but worth being aware of.
- Install Mechanism
- okThere is no remote arbitrary download. Setup is a local shell script that creates a venv and pip-installs pymongo from PyPI (expected for a Python skill). INSTALL-UBUNTU.md references official MongoDB repos for local server install. These are standard and proportionate to the purpose.
- Credentials
- okDeclared and used environment variables are limited to MongoDB connection settings (MONGO_URI, MONGO_DB, MONGO_HOST, MONGO_PORT, MONGO_USER, MONGO_PASSWORD). No unrelated secrets or service credentials are requested.
- Persistence & Privilege
- okSkill is not force-included (always: false). It creates a venv under its own scripts directory and does not modify other skills or system-wide agent settings. The skill can be invoked autonomously (platform default), which is expected for skills that perform DB operations — users should control when destructive payloads are sent.