Back to skill
Skillv1.0.0
ClawScan security
Gov Regulatory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 5:57 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that coherently exposes a third-party MCP server for Federal Register searches; it requests no credentials and does not install code, so its footprint matches its stated purpose.
- Guidance
- This skill is coherent for regulatory monitoring, but before installing: verify you trust the remote MCP server (https://regulatory-monitor-mcp.apify.actor) because your query terms and returned data will flow through that third party; review the linked GitHub repo (homepage) if possible; ensure the 'mcporter' binary you use is from a trusted source; do not send sensitive or private data in queries to the external service; if you want stronger assurance, run queries manually against official Federal Register APIs or host your own trusted mirror rather than registering an external actor server in your MCP config.
Review Dimensions
- Purpose & Capability
- okName/description (Federal Register/regulatory monitoring) matches the instructions: the SKILL instructs the agent to register/query an external MCP server that provides Federal Register data. The only required binary is 'mcporter', which is reasonable for adding MCP servers.
- Instruction Scope
- noteInstructions only tell the agent to run 'mcporter add' or add an entry to ~/.openclaw/mcp.json and then call the declared tools (reg_search_documents, reg_get_document, etc.). This stays within the stated purpose. Note: adding the remote server means query terms (user queries) will be sent to that third‑party endpoint.
- Install Mechanism
- okNo install spec or code files are provided (instruction-only), so nothing is written to disk by the skill itself. Risk depends on the external 'mcporter' binary being present and trustworthy, but that is a user decision outside the skill.
- Credentials
- okThe skill requests no environment variables or credentials. The only config change it suggests is adding an MCP server entry to ~/.openclaw/mcp.json, which is proportional to its purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent privileges or attempt to modify other skills or system-wide settings beyond adding its own MCP server entry.