mcp-adapter
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says, but it gives the agent a broad bridge to execute whatever tools are exposed by configured MCP servers, including potentially sensitive database or API tools.
Install only if you understand and trust the MCP servers you will configure. Prefer read-only or least-privilege server credentials, restrict which agents can use the mcp tool, and require confirmation for database writes, account changes, public posting, or other high-impact MCP tools.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a configured MCP server exposes powerful tools, the agent could run database queries, API actions, or other high-impact operations through this adapter.
Agent-provided server, tool name, and arguments are forwarded directly to the selected MCP server tool. The code does not show per-tool allowlists, mutation checks, or a confirmation step before execution.
case 'call': { ... const result = await mcpManager.callTool(params.server, params.tool, params.args || {});Only connect trusted MCP servers, prefer read-only credentials, restrict which agents can use the mcp tool, and add approval/allowlist controls for mutating or sensitive tools.
A connected server could influence how the agent chooses or uses tools by providing deceptive descriptions or schemas.
Tool descriptions and schemas come from MCP servers and are used to guide agent behavior. This is expected, but malicious or compromised MCP servers could include misleading instructions in tool metadata.
For each tool, examine: ... description: Understand what the tool does ... inputSchema: JSON Schema defining parameters
Use trusted MCP servers and treat tool descriptions/results as untrusted external content, especially before sensitive actions.
The agent may indirectly use API keys or service accounts configured for MCP servers.
Credentials are expected for many MCP-backed services, but calls made through this adapter may execute under those configured service privileges.
MCP servers often require environment variables for API keys or configuration.
Use least-privilege credentials, separate read-only from write-capable servers, and avoid exposing production credentials unless necessary.
Queries, arguments, and possibly sensitive context may be transmitted to external or local MCP servers.
Tool calls and arguments are sent to the configured MCP server URL. This is the core function of the adapter, but it means user/task data can leave OpenClaw for whatever server is configured.
fetch(this._url, { method: 'POST', headers, body: JSON.stringify(message) ... })Use HTTPS for non-local servers, connect only to trusted endpoints, and avoid sending secrets or private data unless the MCP server is intended to receive them.
An incorrect or malicious MCP response could influence follow-up calls to other tools or systems.
The documented workflow encourages chaining MCP outputs into later tool calls. This is useful, but a bad or misleading result from one server could propagate into later actions.
For complex requests, execute multiple tools in sequence... Each step uses output from the previous step to inform the next call.
Validate intermediate results before using them in additional tool calls, especially when later calls modify data or contact other systems.
It may be harder to verify who maintains the skill or where updates come from.
The package provenance is not clear from the registry metadata. No malicious install behavior is shown, but users have limited source context.
Source: unknown; Homepage: none
Verify the publisher and code provenance before installing, especially because this skill can bridge to powerful external tools.