mcporter
v1.0.0Manage and interact with MCP servers and tools via the mcporter CLI, supporting listing, configuring, authenticating, calling tools, and generating CLI/types.
⭐ 1· 3k·7 current·7 all-time
by@livvux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md clearly documents a mcporter CLI skill for managing MCP servers and config (listing servers, auth, calling tools, generating CLI/types). That purpose is coherent with the content. However, the top-level registry metadata provided to the evaluator omitted required binaries and config paths (the SKILL.md metadata requires the 'mcporter' binary and mentions '~/.config/mcporter/'), so the declared capabilities/requirements are inconsistent with the runtime instructions.
Instruction Scope
Runtime instructions instruct the agent to run the mcporter CLI and to use MCP server configuration stored at '~/.config/mcporter/'. That config likely contains server endpoints and authentication tokens/credentials. The SKILL.md does not instruct unrelated file access or network exfiltration, but it does assume access to a local config that can hold sensitive secrets — and the registry did not declare that config path as required.
Install Mechanism
There is no install spec in the registry entry, but SKILL.md metadata suggests installing via Homebrew formula 'pdxfinder/tap/mcporter' (a third‑party tap). Installing from an unverified tap is moderate risk compared with an official formula or well-known release host; it requires reviewing the Homebrew formula/source before trusting the binary.
Credentials
The skill declares no required environment variables or primary credential, but the instructions expect mcporter config in '~/.config/mcporter/', which may contain server credentials. The omission of this config-path/credential requirement from the registry metadata is a proportionality mismatch and increases the chance that sensitive data will be accessed without clear declaration.
Persistence & Privilege
The skill is instruction-only, has no always:true flag, and does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default), which is expected for skills. There is no indication the skill modifies other skills or global agent settings.
What to consider before installing
This skill appears to be an instruction wrapper for the mcporter CLI and is otherwise coherent, but there are a few issues to check before installing:
- Confirm the install source: SKILL.md points to a Homebrew formula in the 'pdxfinder/tap' tap (a third‑party tap). Inspect the tap/formula on GitHub to ensure it builds the expected mcporter binary and doesn't contain malicious build/install steps. Prefer official or well-known release channels when possible.
- Inspect local config: mcporter uses '~/.config/mcporter/' for server configuration; review any files there (or the files the CLI will create) since they can contain server endpoints and authentication tokens. Treat those as sensitive.
- Metadata mismatch: the registry entry omits required binaries and config paths that SKILL.md references. Ask the skill author/maintainer to update the registry metadata to declare the 'mcporter' binary requirement and the config path so you can evaluate permissions more clearly.
- Test in a sandbox first: if you want to be cautious, install and run mcporter in an isolated environment (VM, container) and review network activity and created files before allowing it access to your regular account and secrets.
If the author provides an official release URL, an audited Homebrew formula, or updated registry metadata that declares the config path and binaries, my confidence would improve and the assessment could move toward 'benign.'Like a lobster shell, security has layers — review code before you run it.
latestvk97b0yyzh7pntb5w7c4tyr9n517zzb6c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.