Back to skill
Skillv1.0.0
ClawScan security
lt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 3:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose (signing and attesting via an mcporter-backed MCP server); it mainly instructs the agent to configure and use a known CLI (mcporter) to talk to an external MCP endpoint.
- Guidance
- This skill is an instruction-only integration that expects the mcporter CLI and directs mcporter to communicate with https://mcp.0protocol.dev. Before installing: (1) verify you trust the mcporter binary (install source and integrity); (2) verify you trust the MCP server URL (attestations you create may be recorded/public and persistent); (3) be aware the skill asks you to add a local mcporter config entry (config/mcporter.json) which enables the CLI to contact that server; (4) review the upstream project repository and API docs linked in SKILL.md if you need stronger assurance. If you want to limit exposure, run mcporter in an isolated environment or review traffic to the MCP endpoint before publishing sensitive data.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md describes an identity/attestation service and requires the mcporter CLI — that aligns with the stated purpose. Minor inconsistency: registry metadata calls the skill "lt" while the SKILL.md and _meta.json use "0protocol" / "0.protocol" (likely cosmetic).
- Instruction Scope
- noteInstructions tell the operator to add an entry to config/mcporter.json and to run mcporter call commands that send signed expressions to https://mcp.0protocol.dev. This is within scope for an attestation service, but it does direct the agent to write a local config file and to transmit attestations/public statements to an external endpoint — users should understand those attestations will be recorded and may be public/persistent.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is low-risk from an installation perspective; the skill assumes the mcporter binary already exists on PATH.
- Credentials
- okNo environment variables, credentials, or config paths beyond adding an mcporter config entry are requested. The skill claims the agent generates a local keypair; that local key material is expected for signing and is proportionate to the purpose.
- Persistence & Privilege
- okalways:false and no requests to modify other skills or system-wide agent settings. The skill's runtime instructions write to a local mcporter config file (expected) but do not request persistent elevated privileges.