ClawHub
Back to skill
v1.0.0

Gov Contracts

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:09 AM.

Analysis

The skill is a coherent government-contract search integration, but it relies on a disclosed remote MCP server that users should trust before adding.

GuidanceThis appears suitable for searching public government contracting data. Before installing, make sure you trust the remote MCP endpoint and avoid submitting confidential business or procurement details unless that is acceptable for your use case.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
mcporter add gov-contracts --url https://gov-contracts-mcp.apify.actor/mcp --transport streamable-http

The skill is instruction-only and directs setup to a remote MCP endpoint; the user must trust that remote service to implement the advertised tools.

User impactAfter installation, the agent may call a remote MCP server controlled outside the supplied artifacts.
RecommendationInstall only if you trust the publisher and remote endpoint, and remove the MCP config entry if you no longer want the service available.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
"url": "https://gov-contracts-mcp.apify.actor/mcp", "transport": "streamable-http"

Tool calls are routed to a remote MCP service, so user search terms and query parameters may be sent to that service.

User impactQueries about companies, opportunities, or contracting research may be visible to the remote MCP provider.
RecommendationAvoid sending confidential procurement strategy or sensitive business information unless you are comfortable with the remote provider handling those queries.