ClawHub

mcporter

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for the mcporter CLI, with expected risks around MCP server trust, credentials, and configuration changes.

Install only if you trust the mcporter CLI source and the MCP servers you configure. Review commands before running auth, config, ad-hoc server, or tool-call operations, because they may store credentials, change local mcporter configuration, or send arguments and context to local or remote MCP servers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports authentication, config management, ad-hoc server creation, and direct MCP tool invocation, but it does not warn users that these actions can modify local configuration files or affect stored credentials under the user's mcporter setup. In an agent setting, that omission is dangerous because users may authorize config edits or auth flows without understanding they are changing persistent local state or exposing tokens to downstream MCP integrations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises direct calls to HTTP and stdio MCP servers and ad-hoc server support, but it does not disclose that invoking those servers may send prompts, arguments, environment-derived data, or local context to external network services or local executables. This is risky because an agent may route sensitive user or system information through untrusted MCP endpoints without informed consent, especially when the protocol targets arbitrary servers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal