mcporter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mcporter-skill Version: 1.0.0 The skill bundle provides a wrapper for the `mcporter` CLI tool, enabling an AI agent to manage MCP servers and tools. The installation instructions use a standard Homebrew formula (`pdxfinder/tap/mcporter`), and the provided commands (`list`, `auth --help`, `call`, `generate`, `config --help`) are all legitimate uses of the `mcporter` CLI. There is no evidence of intentional harmful behavior, data exfiltration, malicious execution, persistence, or prompt injection attempts against the agent to perform unauthorized actions. The skill's behavior is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used against a powerful MCP server, a tool call could read, change, or trigger actions in connected systems.
The skill intentionally exposes direct CLI execution for invoking MCP tools. This is aligned with the skill purpose, but MCP tools can have effects beyond simple read-only operations depending on the configured server.
mcporter call <server-name> <tool-name> [arguments...] ... Use `exec` tool to run mcporter commands
Use this only with trusted MCP servers, review the exact server, tool name, and arguments before running, and avoid destructive or account-changing tool calls unless clearly intended.
Authenticated MCP servers may be able to access or change data according to the permissions granted to those credentials.
The skill includes authentication management for MCP servers. This is expected for its stated purpose, but it means mcporter may use account-level credentials or tokens for configured services.
### Authentication ```bash mcporter auth --help ```
Authenticate only to trusted servers, prefer least-privilege credentials, and review mcporter's stored authentication/configuration before granting broad access.
The behavior and security of the skill ultimately depend on the installed mcporter binary and its distribution source.
The skill depends on an external CLI installed from a Homebrew tap. That dependency is disclosed and central to the purpose, but the runnable CLI code is not included in this instruction-only skill.
`mcporter` CLI installed (via Homebrew: `brew install pdxfinder/tap/mcporter`)
Install mcporter from the intended upstream source, keep it updated, and review the Homebrew formula or project page if supply-chain provenance matters for your environment.
Arguments or data sent to an MCP server may be handled by that server, and untrusted servers could return misleading or unsafe tool outputs.
The skill is designed to interact with MCP servers over HTTP or stdio, including ad-hoc servers. This is purpose-aligned, but users should treat server identity and trust boundaries as important.
mcporter supports both HTTP and stdio MCP servers - Ad-hoc server creation is supported
Connect only to MCP servers you trust, avoid sending sensitive data to unknown servers, and verify ad-hoc server configurations before use.