Mcps
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mcps-skill Version: 0.1.1 The skill is suspicious due to its broad capabilities for arbitrary command execution and process management, as detailed in `SKILL.md`. The `mcps add --command <cmd>` functionality allows the agent to run any specified binary, and the tool is designed to handle sensitive environment variables (e.g., `DATABASE_URL`, `GITLAB_TOKEN`). While these features align with the skill's stated purpose of managing CLI servers, they present a significant attack surface for potential misuse by a malicious prompt or a compromised agent, despite the skill bundle itself lacking explicit malicious instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could call configured MCP tools that read, create, update, or delete data, depending on what servers the user has added.
The skill documents arbitrary MCP tool invocation, including database/data-change style calls. This is central to the skill's purpose, but it can affect external systems if used with powerful MCP servers.
`mcps call <server> <tool> [args...]` ... `script="DELETE FROM table WHERE id = 'xxx';"`
Only configure trusted MCP servers, and require explicit user confirmation before mutating databases, repositories, tickets, accounts, or production systems.
A malicious or compromised MCP server package could run code with the user's local privileges.
Adding stdio MCP servers involves launching local commands or package runners. This is expected for an MCP manager, but it means configured servers execute code locally.
`mcps add <name> --command <cmd> --args <args>`; examples use `uvx mcp-server-fetch` and `npx @modelcontextprotocol/server-postgres`
Add only trusted server commands/packages, pin versions where practical, and avoid configuring unknown MCP servers.
Configured MCP servers may be able to access databases or GitLab resources using the provided credentials.
The configuration examples show database and GitLab credentials being passed to MCP servers. This is purpose-aligned, but those credentials may grant significant account or data access.
`POSTGRES_CONNECTION_STRING`: `${DATABASE_URL}` ... `GITLAB_PERSONAL_ACCESS_TOKEN`: `${GITLAB_TOKEN}`Use environment variables, least-privileged credentials, separate test credentials when possible, and rotate tokens if an MCP server is no longer trusted.
The safety of the skill depends partly on the npm package and any server packages it launches.
The skill installs an external npm package to provide the mcps binary. This is normal for a CLI-based skill, but the installed package code is outside the provided artifact contents.
node | package: @maplezzk/mcps | creates binaries: mcps
Verify the npm package source, publisher, and version before installation, and keep dependencies updated from trusted sources.
Sensitive prompts, parameters, or retrieved data could be exposed to an MCP server if the user configures one.
The skill supports MCP communication over SSE/HTTP endpoints. This is expected, but tool arguments and results may cross a boundary to the configured MCP server.
`mcps add remote --type sse --url http://localhost:8000/sse` ... `mcps add http-server --type http --url http://localhost:8000/mcp`
Use trusted MCP endpoints, prefer secure transport for non-local servers, and avoid sending secrets or private data to untrusted tools.
Configured MCP servers and daemon state may remain available across tasks until stopped or removed.
The skill documents starting a local daemon and storing persistent MCP configuration. This persistence is disclosed and controllable.
`mcps start` | Start daemon ... `mcps stop` | Stop daemon ... Config file: `~/.mcps/mcp.json`
Stop the daemon when not needed and remove or disable servers that should no longer be available.