Zapier MCP
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zapier-mcp Version: 1.0.0 The skill is suspicious due to insufficient validation of the user-provided `mcpUrl` in `reference/zapier-backend.ts`. While the URL is checked for HTTPS and a basic `tools/list` response, a malicious server could mimic Zapier's API, allowing an attacker to hijack the agent's communication with Zapier and potentially intercept or manipulate subsequent `mcporter call` requests. This represents a significant vulnerability where a user could be tricked into configuring a malicious endpoint, leading to potential compromise of agent actions or data, even though the skill itself does not exhibit explicit malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad Zapier actions are exposed, an agent mistake or ambiguous instruction could change external accounts, send messages, or create business records.
The documented examples show the agent can use Zapier tools to send email, post messages, and create records/events in third-party apps.
mcporter call zapier-mcp.gmail_send_email ... / google_sheets_create_row ... / google_calendar_create_event ...
Expose only the Zapier actions you actually want the agent to use, and require explicit confirmation before sending messages, creating records, or touching financial/business systems.
A mistaken or deceptive URL could register a non-Zapier MCP server under the Zapier name, letting an unexpected remote endpoint define tools and receive tool-call instructions.
The backend only enforces HTTPS and does not restrict the configured MCP server to Zapier’s documented actions.zapier.com/mcp origin.
if (!mcpUrl.startsWith("https://")) { ... error: "MCP URL must use HTTPS" }Verify the URL begins with the official Zapier MCP origin, and the implementation should restrict or clearly warn on non-Zapier MCP URLs.
Anyone who gets the MCP URL may be able to access the Zapier actions configured for that URL.
The MCP URL acts as an authentication secret for the user’s configured Zapier actions, even though registry metadata lists no primary credential.
Zapier MCP uses a simple URL-based authentication — just paste your MCP URL and you're connected.
Treat the MCP URL like an API key: do not share it, avoid screenshots/logs that reveal it, and regenerate it in Zapier if exposed.