critical
suspicious.exposed_secret_literal
- Location
- scripts/templates/init-mcporter.sh:91
- Finding
- File appears to expose a hardcoded API secret or token.
Mcporter Skill Builder
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernMedium Confidence
ASI03: Identity and Privilege AbuseWhat this means
If this is a real embedded secret, generated OAuth skills could expose or reuse credential material that does not belong in a public scaffold.
Why it was flagged
The static scan reports this line as an apparent hardcoded API secret or token inside the OAuth initialization template that is copied into generated OAuth skills.
Skill content
client_secret: [REDACTED],
Recommendation
Inspect scripts/templates/init-mcporter.sh before installing or using this skill. Remove any literal secret, source client secrets only from declared env vars or secure provisioning, and rotate the exposed secret if it was real.
NoteHigh Confidence
ASI01: Agent Goal HijackWhat this means
A compromised or untrusted MCP server could publish instructions that try to steer the agent beyond the user’s intended task.
Why it was flagged
Generated MCP wrapper skills tell the agent to rely on instructions returned by the live MCP server. This is normal MCP behavior, but those instructions come from a remote service and may be outside the user’s direct control.
Skill content
The output includes the server's `Instructions:` field (read it) and a JSON Schema for every tool's parameters. Treat this as the authoritative reference for the rest of the session.
Recommendation
Use generated wrappers only with trusted MCP servers, and treat server-published instructions as subordinate to the user’s request and platform safety rules.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If the upstream MCP exposes write or administrative tools, the agent may be able to mutate third-party data using the configured credentials.
Why it was flagged
Generated skills expose the upstream MCP tool surface through mcporter. That is the point of the wrapper, but the actual tools and their side effects are determined by the upstream MCP.
Skill content
This skill is a thin pass-through to the hosted MCP server at `<BASE_URL>`... `bash {baseDir}/scripts/invoke.sh call <SLUG>.<tool> <arg>=<value> ...`Recommendation
Review the live tool catalog with `list --schema`, understand which tools can change data, and require explicit user approval for high-impact calls.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A generated stdio wrapper can execute local MCP server code with the host user’s filesystem and network permissions.
Why it was flagged
Stdio-mode generated skills intentionally run local subprocess MCP servers, including package-runner commands.
Skill content
mcporter spawns it as a subprocess on each call... Command `npx -y @vendor/foo` → `requires.bins: ["mcporter", "npx"]`.
Recommendation
Only scaffold stdio wrappers for trusted commands or packages, pin or verify package sources where possible, and avoid exposing unreviewed local MCP servers to the agent.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
OAuth access relies on local persistent state; stale or improperly protected local state could affect future agent sessions.
Why it was flagged
OAuth-mode generated skills persist credential-related state in mcporter’s vault and a provisioning marker/hash under the skill directory.
Skill content
The wrapper seeds mcporter's vault as needed before each call... Detects credential rotation by hashing the env-supplied OAuth client/refresh credential material and comparing against `${SKILL_DIR}/.provisioned`.Recommendation
Store generated OAuth skills in a protected workspace, limit access to the agent runtime environment, and document how to clear the mcporter vault and `.provisioned` state when revoking access.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A future package update or typosquatted MCP package could change what code runs locally.
Why it was flagged
Generated stdio wrappers may rely on package-runner installation paths for upstream MCP servers. This is disclosed and purpose-aligned, but package provenance and version pinning are left to the generated skill author.
Skill content
For `npx -y <pkg>` and `uvx <pkg>` patterns, the package is identifiable from args.
Recommendation
Prefer trusted upstream packages, pin versions where practical, and include clear install metadata for generated stdio skills.