Back to skill

Security audit

Mcp Integration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MCP connector, but it gives agents broad access to configured external tools and data sources without built-in per-tool approval or containment.

Install only if you trust every MCP server you configure and understand what its tools can read or change. Prefer HTTPS or local trusted servers, least-privilege and read-only credentials, per-agent/tool allowlists, and human approval for database writes, account changes, deletion, publishing, or administrative actions. Redact logs and configs before sharing diagnostics, and verify the MCP SDK dependency is updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly enables discovery and execution of arbitrary external MCP tools, which implies network-capable behavior and access to external systems, yet the skill metadata does not declare corresponding permissions or constraints. This creates a transparency and policy-enforcement gap: users and hosting platforms may not understand that invoking the skill can reach remote services, exfiltrate prompts/data, or trigger actions on connected systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly demonstrates a generic database query capability through the unified `mcp` tool, including raw SQL execution, but does not place a clear user-facing warning near the example about exposure to sensitive records, destructive queries, or the risk of connecting high-privilege backends. In this skill context, the danger is elevated because the plugin is specifically designed to let agents discover and invoke external tools dynamically, so normalizing database access in documentation can encourage unsafe deployments or prompt-driven access to sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill markets MCP integration as a general mechanism to discover and execute tools from external servers, including APIs and database connectors, but does not warn users that arbitrary tool execution may send sensitive data to third parties or cause real-world side effects. In this context, the omission is especially dangerous because the skill encourages broad tool discovery and multi-step execution workflows, increasing the chance of privacy loss, unsafe actions, or misuse of powerful connected systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes a generic `mcp` tool that can enumerate and invoke arbitrary tools on connected MCP servers, including examples such as database querying, over HTTP transport, without any warning about external side effects, data exfiltration, or trust boundaries. In an agent setting, this can normalize unsafe use of powerful remote capabilities and increase the likelihood that agents or integrators invoke sensitive tools without explicit user consent or scoping.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation includes an example that places an API key directly inside openclaw.json before later warning against committing secrets. Even though the guide later recommends environment variables, showing an inline secret in a realistic config can normalize insecure secret handling and lead users to store credentials in plaintext where they may be exposed via source control, backups, or local file disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting guide instructs users to collect configuration and recent logs and then share the resulting diagnostic report, but only mentions redacting secrets later and not as a prominent warning before collection/sharing. Config files and logs commonly contain API keys, bearer tokens, internal hostnames, file paths, and other sensitive operational data, so this can lead to inadvertent disclosure to third parties such as issue trackers or chat channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin forwards arbitrary user-supplied arguments directly to remote MCP server tools and returns the result, but the exposed tool description does not clearly warn that data will be sent to external services. In an agent setting, this can lead to unintended exfiltration of sensitive prompts, files, tokens, or internal context to third-party MCP servers, especially because the skill is specifically designed to bridge agents to external tools and data sources.

File System Enumeration

Medium
Category
Data Exfiltration
Content
openclaw --version

echo -e "\n=== Plugin Status ==="
ls -la ~/.openclaw/extensions/mcp-integration/

echo -e "\n=== Configuration ==="
cat ~/.openclaw/openclaw.json | jq '.plugins.entries["mcp-integration"]'
Confidence
78% confidence
Finding
ls -la ~/

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.25.3 — 1 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.25.3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.