ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mcps

v0.1.1

MCP CLI Manager - Manage MCP servers and call tools

0· 1.9k·2 current·2 all-time
by@maplezzk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (mcps), and the npm install spec (@maplezzk/mcps) align with a CLI manager for MCP servers. Examples referencing PostgreSQL, GitLab, HTTP, SSE servers are consistent with a general-purpose MCP manager.
Instruction Scope
SKILL.md instructs the agent to run mcps commands and to manage ~/.mcps/mcp.json; that is within the skill's purpose. Note: examples show env-var substitution (e.g., ${DATABASE_URL}, ${GITLAB_TOKEN}) and file-based JSON params — when mcps is run it may read the config file and any env vars available to the agent, which could expose secrets if present. The skill does not itself instruct the agent to read unrelated system files.
Install Mechanism
Installation is via an npm package (@maplezzk/mcps) which produces the expected 'mcps' binary. npm installs are a common, expected mechanism for Node CLIs; they can execute code during install, so verify package provenance before installing globally.
Credentials
The skill declares no required environment variables (none required by the registry metadata), which is consistent. However, practical use expects service-specific secrets (DB connection strings, GITLAB_TOKEN, etc.) stored in env vars or the config file. These are proportionate to the functionality but require caution — mcps will forward env values to servers and may read ~/.mcps/mcp.json.
Persistence & Privilege
The skill does not request permanent presence (always: false) and contains no instructions to modify other skills or system-wide agent settings. Default autonomous invocation is enabled (normal); nothing here escalates privileges beyond a typical CLI tool.
Assessment
This skill appears to be what it says: a CLI manager that installs the 'mcps' binary via npm and runs mcps commands. Before installing or using it: 1) Verify the npm package and GitHub repository (author, stars, recent commits) to ensure you trust the publisher. 2) Prefer installing in an isolated environment (container or non-global install) if you’re unsure. 3) Be careful with ~/.mcps/mcp.json and environment variables — do not store or expose production secrets (DATABASE_URL, GITLAB_TOKEN, etc.) unless you trust the tool and the environment; mcps will read/forward those values when launching servers. 4) Review the package source code if you need high assurance (npm packages can run code at install and runtime). If those checks are acceptable, the skill is coherent with its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk972bydb74y1pdczgy5by0q44s80chzm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔌 Clawdis
Binsmcps

Install

Install mcps
Bins: mcps
npm i -g @maplezzk/mcps

Comments