Mcps
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent MCP command-line manager, but it can run trusted MCP servers, start a local daemon, and call powerful tools, so users should install it only when they intend that access.
Install this skill only if you want OpenClaw to manage and call MCP servers through the mcps CLI. Use trusted MCP server packages, keep tokens least-privileged, confirm any destructive or account-changing tool calls, and stop or disable the daemon/servers when they are no longer needed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could call configured MCP tools that read, create, update, or delete data, depending on what servers the user has added.
The skill documents arbitrary MCP tool invocation, including database/data-change style calls. This is central to the skill's purpose, but it can affect external systems if used with powerful MCP servers.
`mcps call <server> <tool> [args...]` ... `script="DELETE FROM table WHERE id = 'xxx';"`
Only configure trusted MCP servers, and require explicit user confirmation before mutating databases, repositories, tickets, accounts, or production systems.
A malicious or compromised MCP server package could run code with the user's local privileges.
Adding stdio MCP servers involves launching local commands or package runners. This is expected for an MCP manager, but it means configured servers execute code locally.
`mcps add <name> --command <cmd> --args <args>`; examples use `uvx mcp-server-fetch` and `npx @modelcontextprotocol/server-postgres`
Add only trusted server commands/packages, pin versions where practical, and avoid configuring unknown MCP servers.
Configured MCP servers may be able to access databases or GitLab resources using the provided credentials.
The configuration examples show database and GitLab credentials being passed to MCP servers. This is purpose-aligned, but those credentials may grant significant account or data access.
`POSTGRES_CONNECTION_STRING`: `${DATABASE_URL}` ... `GITLAB_PERSONAL_ACCESS_TOKEN`: `${GITLAB_TOKEN}`Use environment variables, least-privileged credentials, separate test credentials when possible, and rotate tokens if an MCP server is no longer trusted.
The safety of the skill depends partly on the npm package and any server packages it launches.
The skill installs an external npm package to provide the mcps binary. This is normal for a CLI-based skill, but the installed package code is outside the provided artifact contents.
node | package: @maplezzk/mcps | creates binaries: mcps
Verify the npm package source, publisher, and version before installation, and keep dependencies updated from trusted sources.
Sensitive prompts, parameters, or retrieved data could be exposed to an MCP server if the user configures one.
The skill supports MCP communication over SSE/HTTP endpoints. This is expected, but tool arguments and results may cross a boundary to the configured MCP server.
`mcps add remote --type sse --url http://localhost:8000/sse` ... `mcps add http-server --type http --url http://localhost:8000/mcp`
Use trusted MCP endpoints, prefer secure transport for non-local servers, and avoid sending secrets or private data to untrusted tools.
Configured MCP servers and daemon state may remain available across tasks until stopped or removed.
The skill documents starting a local daemon and storing persistent MCP configuration. This persistence is disclosed and controllable.
`mcps start` | Start daemon ... `mcps stop` | Stop daemon ... Config file: `~/.mcps/mcp.json`
Stop the daemon when not needed and remove or disable servers that should no longer be available.