Skillv1.1.0

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 13, 2026, 3:41 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions line up with a Brighty banking MCP adapter: it needs mcporter and a BRIGHTY_API_KEY and instructs the agent to call Brighty endpoints via mcporter; the main risk is that it relies on npx to fetch runtime code from a GitHub repo, which you should review before use.
Guidance: This skill is coherent for a Brighty MCP adapter, but take these precautions before installing: - Inspect the GitHub repo (Maay/brighty_mcp) referenced by the npx command — npx will download and execute whatever code is published there. Prefer a pinned release/version rather than the latest code if possible. - Confirm you trust the mcporter binary and run it in an isolated environment (separate account or container) if you plan to allow financial operations. - Keep BRIGHTY_API_KEY scoped to the minimum required privileges and never paste it into chat or skill files; follow the SKILL.md advice to keep it in a secure env file. - Require explicit human confirmation for any payouts/terminations (the SKILL.md already recommends this). - If you need higher assurance, ask the publisher for a signed release or repository commit hash to pin, or request an install spec that uses a verified package release. No regex scan findings were available because this is an instruction-only skill with no code files to analyze; that does not eliminate runtime risk from the npx-downloaded adapter.

Purpose & Capability: okName/description (Brighty banking) match the declared requirements: mcporter binary and BRIGHTY_API_KEY are exactly what a third‑party MCP adapter would need. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope: okSKILL.md confines actions to registering an MCP server and using mcporter call brighty.* commands. It instructs explicit flows (list accounts, create payouts, confirm before starting payouts). It does not ask to read unrelated files or additional env vars.
Install Mechanism: noteNo formal install spec, but config/mcporter.json instructs mcporter to run `npx -y github:Maay/brighty_mcp`. That executes code fetched from a GitHub repo at runtime — a common pattern for adapters but still a dynamic code execution surface you should review. This is not inherently incoherent with the skill's purpose, but it is the primary operational risk.
Credentials: okOnly BRIGHTY_API_KEY is required and declared as the primary credential. This matches the documented API usage and the mcporter config which injects that env var. No excessive or unrelated credentials are requested.
Persistence & Privilege: okSkill is user-invocable and not forced always-on. It does not request system-wide changes nor declare modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.