MCP Colombia
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before installing: the skill is mostly coherent, but it runs an external npm MCP server and appears able to perform identity-gated job applications using CV/LinkedIn data without clear submission safeguards in the provided artifacts.
Install only if you trust the npm package and its maintainers. Treat the search and comparison tools as lower risk, but be cautious with Soulprint tokens, Brave API keys, CV/LinkedIn URLs, and any job-application action; require explicit confirmation before submitting anything on your behalf.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could submit or initiate job applications and share personal profile/CV information under unclear boundaries.
The artifact advertises a job-application action involving a CV or LinkedIn URL, but the provided text does not show clear per-listing confirmation, submission limits, or what data is sent.
"Use when: ... applying to jobs with real listings from El Empleo/Computrabajo/LinkedIn" ... "trabajo_aplicar" ... "cv_url (string, optional) — CV or LinkedIn URL"
Only use the job-application tool after reviewing the underlying npm package, and require explicit user confirmation for each application and each CV/profile submission.
You are trusting the current npm package and its dependencies, not just the SKILL.md text shown here.
The skill directs users to run an npm package through npx without a pinned version; this is expected for an MCP server but means the reviewed artifact does not include the code that will execute.
"command": "npx", "args": ["-y", "mcp-colombia-hub"]
Inspect the npm package and GitHub repository, consider pinning a known-good version, and avoid using sensitive tokens until the package provenance is trusted.
Using the token may reveal or rely on your Soulprint identity, DID, score, and reputation data.
The skill supports an optional identity token used to query a live validator node and unlock score-gated functionality.
"x-soulprint-token": "<your SPT token>" ... "reads from x-soulprint-token capability" ... "Validator node: https://soulprint-node-production.up.railway.app"
Use only a token you are comfortable sharing with this MCP server, prefer revocable/limited tokens if available, and verify the validator and package before enabling sensitive operations.
Personal identity, reputation, job-search, and CV/profile information may leave the local agent environment.
The MCP server may exchange identity information with an external validator and may process CV/LinkedIn URLs for job workflows; the validator destination is disclosed, but the provided artifact does not fully describe data handling for job submissions.
"Queries the live validator node for on-chain data" ... "cv_url (string, optional) — CV or LinkedIn URL"
Avoid sending sensitive CV/profile links unless necessary, and check the package documentation/privacy behavior for where job-application data is transmitted and retained.