VoteShip
v0.2.0Manage feature requests, votes, roadmaps, and changelogs with VoteShip.
⭐ 0· 242·0 current·0 all-time
byMatt Kilmer@mattkilmer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, and required environment variables (VOTESHIP_API_KEY, VOTESHIP_PROJECT_SLUG) align with a feature‑request / board management integration. The declared node package (@voteship/mcp-server) that provides a voteship-mcp binary is consistent with a CLI helper for the service.
Instruction Scope
SKILL.md contains only VoteShip-related actions (listing/creating/updating posts, votes, tags, webhooks, analytics, AI triage) and references the two declared env vars. It does not instruct the agent to read unrelated system files, arbitrary environment variables, or exfiltrate data to third‑party endpoints beyond configuring webhooks (which is a documented VoteShip feature).
Install Mechanism
The install uses an npm package (@voteship/mcp-server) which is an expected distribution method for a Node CLI, but npm installs are moderate risk because they introduce third‑party code onto the system. No direct URL downloads or archives are used (good). Verify the package publisher and contents before installing.
Credentials
Only two env vars are required, which matches the skill's purpose. However, the VOTESHIP_API_KEY is a high‑privilege credential (admin access according to the docs) that grants full project control (create/delete posts, configure webhooks, update users, sync MRR). Requesting this single key is proportionate to admin functionality but carries elevated risk if misused.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system configs. It will install a binary via npm (own artifact) but does not require persistent platform privileges beyond normal installation.
Assessment
This skill appears internally consistent with a VoteShip integration, but exercise caution before installing and supplying VOTESHIP_API_KEY: 1) Confirm the npm package (@voteship/mcp-server) exists on a trusted registry (npmjs.org), review its publisher, recent release history, and package contents (bin scripts). 2) Verify the service homepage/docs (https://voteship.app/docs) and that the package maps to the official project. 3) Only provide an API key scoped to the minimal project and rotate it after testing; avoid giving long‑lived global keys when a project‑scoped key is possible. 4) Review any webhook endpoints you configure and monitor audit logs for unexpected activity. If you cannot verify the npm package publisher or the service origin, treat installation as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97cdhtaqr1xjgatjgsqp7z5mh828mne
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
EnvVOTESHIP_API_KEY, VOTESHIP_PROJECT_SLUG
Primary envVOTESHIP_API_KEY
Install
Node
Bins: voteship-mcp
npm i -g @voteship/mcp-server