AllOurThings
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised npm package could run local code with access to the configured inventory vault, including receipts, photos, warranties, and inventory records.
The skill runs an npm MCP server using npx with automatic yes behavior and no pinned package version; the package code is not included in the reviewed artifacts.
"command": "npx", "args": ["-y", "@allourthings/mcp-server"]
Install only if you trust the npm package source. Prefer a pinned version, reviewed source code, checksums or lockfiles, and clear disclosure that npm code will be executed.
Inventory entries and attached receipts, manuals, photos, or warranty files could be removed from the vault, and cloud sync may propagate those changes.
The skill exposes destructive vault operations. This is aligned with inventory management, but the artifact does not describe confirmation, undo, or backup behavior.
| `delete_item` | Delete an item and all its attachments |
Ask the agent to confirm before deleting or bulk-updating items, and keep backups or rely on cloud version history/trash where possible.
Private household records, purchase history, receipts, photos, and warranty documents may be read or modified through the skill and may sync to cloud storage if the chosen folder is synced.
The skill uses a persistent local or synced vault containing personal inventory data and attachments that can later be searched and reused as context.
backed by a local or cloud-synced vault (iCloud Drive, Dropbox, OneDrive, or any folder)
Point `ALLOURTHINGS_DATA_DIR` only at a dedicated AllOurThings vault, avoid mixing unrelated private files into that folder, and protect the cloud account or local folder permissions.