ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gate-mcp-installer

v1.0.0

One-click installer and configurator for Gate MCP (mcporter) in OpenClaw. Use when the user wants to (1) Install mcporter CLI tool, (2) Configure Gate MCP se...

0· 321·0 current·0 all-time
bykobin2@kobin-be
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included script and SKILL.md: the script installs mcporter (npm i -g mcporter), adds a Gate MCP config pointing at https://api.gatemcp.ai/mcp, and verifies connectivity. These actions are proportionate to an installer/configurator.
!
Instruction Scope
The runtime instructions and script are limited to installing mcporter, running mcporter config commands, and listing tools. However, SKILL.md's troubleshooting mentions an unrelated host (fulltrust.link), which is inconsistent with the script's Gate URL (api.gatemcp.ai) and could indicate stale or erroneous text that should be clarified. The script prompts interactively and does not exfiltrate data, but the mismatch is a red flag to verify before running.
Install Mechanism
There is no packaged installer spec; the script uses npm to globally install an npm package (mcporter). Pulling and running a package from the public npm registry is common but carries moderate risk (npm package install scripts run arbitrary code on install). Global installs may require elevated privileges and modify your system PATH.
Credentials
The skill requests no environment variables, reads no credentials, and the script does not access secrets or unrelated config paths. No disproportionate credential access is requested.
Persistence & Privilege
The skill is not forced-always and does not modify other skills, but it causes a system-wide change by installing a global npm package. That persistence (a globally installed binary) is expected for an installer but increases blast radius if the npm package is malicious or compromised.
What to consider before installing
Before running this installer: (1) Verify the mcporter npm package and its maintainers on npmjs.org (review package source, install scripts, and recent publish history). (2) Confirm the intended Gate MCP endpoint—the script uses https://api.gatemcp.ai/mcp but SKILL.md mentions fulltrust.link; ask the publisher which is correct. (3) Prefer running the manual commands yourself (npm i -g mcporter or npx mcporter) in a controlled environment or container rather than blindly executing the script. (4) Be aware a global npm install can execute arbitrary install-time code and may require sudo; if you cannot verify the package, do not install globally on a production machine. (5) If you want higher assurance, request the skill author/publisher identity and source repository or run the steps in an isolated VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk972r784vfayv9e9bg262kwzm582a1bb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments