warn
suspicious.install_untrusted_source
- Location
- mcporter.json:5
- Finding
- Install source points to URL shortener or raw IP.
Maverick X Mcp
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.install_untrusted_source
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A future upstream change or compromise could alter what code is installed and run on the user's machine under this skill.
Why it was flagged
The skill fetches its upstream MCP server and requirements from the moving GitHub master branch, with no pinned commit, package lock, or integrity hash in the artifacts.
Skill content
RAW_BASE_URL = "https://raw.githubusercontent.com/xdevplatform/xmcp/master"
SERVER_URL = f"{RAW_BASE_URL}/server.py"
REQUIREMENTS_URL = f"{RAW_BASE_URL}/requirements.txt"Recommendation
Pin the upstream XMCP code to a reviewed commit or release, verify hashes, and pin Python dependencies before trusting this in a sensitive environment.
What this means
Downloaded or dependency-provided code can execute locally and may be able to read environment variables available to the skill process.
Why it was flagged
After preparing the cached downloaded server and virtual environment, the wrapper executes server.py with a copied environment, which can include the OAuth material supplied to the skill.
Skill content
python = _ensure_venv(xmcp_dir) values = _write_env_file(xmcp_dir, host=args.host, port=args.port) child_env = os.environ.copy() child_env.update(values) os.execve(str(python), [str(python), "server.py"], child_env)
Recommendation
Avoid automatic execution of downloaded code, vendor or review the server source, and run it with a minimized environment that excludes unnecessary secrets.
What this means
If approved, the agent may create or delete public X content on the connected account.
Why it was flagged
The skill can perform externally visible X actions, but the artifact clearly requires explicit confirmation before those actions.
Skill content
Write operations that post, delete posts, reply, repost, like, follow, edit, or otherwise publish externally visible X content require explicit user confirmation with the exact final text or action.
Recommendation
Only approve write/delete actions after checking the exact final post text or account action.
What this means
The connected X account credentials are stored locally and can provide ongoing read/write access until revoked or expired.
Why it was flagged
The wrapper persists X OAuth tokens and client information into mcporter's local credential vault so it can refresh and call the X API.
Skill content
return home / ".mcporter" / "credentials.json"
...
"tokens": {
"access_token": access,
"refresh_token": refresh_token,
"token_type": "Bearer",
},
"clientInfo": client_info,Recommendation
Use a dedicated, revocable X OAuth grant where possible, protect the local user account, and revoke the integration if no longer needed.