mcp-adapter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mcp-adapter Version: 0.1.0 The skill bundle is classified as suspicious due to the declared `stdio` transport capability within the `config/openclaw.plugin.json` schema. This schema explicitly includes properties like `command`, `args`, and `env` for the `stdio` transport, which would allow for arbitrary command execution on the host system. While the current JavaScript implementation in `src/index.js` only supports the `http` transport, the declaration of this high-risk capability in the plugin's configuration schema makes the bundle inherently risky, even if not actively exploited by the current code. The `SKILL.md` and other documentation files are benign and do not contain prompt injection attempts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a configured MCP server exposes powerful tools, the agent could run database queries, API actions, or other high-impact operations through this adapter.
Agent-provided server, tool name, and arguments are forwarded directly to the selected MCP server tool. The code does not show per-tool allowlists, mutation checks, or a confirmation step before execution.
case 'call': { ... const result = await mcpManager.callTool(params.server, params.tool, params.args || {});Only connect trusted MCP servers, prefer read-only credentials, restrict which agents can use the mcp tool, and add approval/allowlist controls for mutating or sensitive tools.
A connected server could influence how the agent chooses or uses tools by providing deceptive descriptions or schemas.
Tool descriptions and schemas come from MCP servers and are used to guide agent behavior. This is expected, but malicious or compromised MCP servers could include misleading instructions in tool metadata.
For each tool, examine: ... description: Understand what the tool does ... inputSchema: JSON Schema defining parameters
Use trusted MCP servers and treat tool descriptions/results as untrusted external content, especially before sensitive actions.
The agent may indirectly use API keys or service accounts configured for MCP servers.
Credentials are expected for many MCP-backed services, but calls made through this adapter may execute under those configured service privileges.
MCP servers often require environment variables for API keys or configuration.
Use least-privilege credentials, separate read-only from write-capable servers, and avoid exposing production credentials unless necessary.
Queries, arguments, and possibly sensitive context may be transmitted to external or local MCP servers.
Tool calls and arguments are sent to the configured MCP server URL. This is the core function of the adapter, but it means user/task data can leave OpenClaw for whatever server is configured.
fetch(this._url, { method: 'POST', headers, body: JSON.stringify(message) ... })Use HTTPS for non-local servers, connect only to trusted endpoints, and avoid sending secrets or private data unless the MCP server is intended to receive them.
An incorrect or malicious MCP response could influence follow-up calls to other tools or systems.
The documented workflow encourages chaining MCP outputs into later tool calls. This is useful, but a bad or misleading result from one server could propagate into later actions.
For complex requests, execute multiple tools in sequence... Each step uses output from the previous step to inform the next call.
Validate intermediate results before using them in additional tool calls, especially when later calls modify data or contact other systems.
It may be harder to verify who maintains the skill or where updates come from.
The package provenance is not clear from the registry metadata. No malicious install behavior is shown, but users have limited source context.
Source: unknown; Homepage: none
Verify the publisher and code provenance before installing, especially because this skill can bridge to powerful external tools.