Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MCP Development Kit: Guide + Server Templates + Registry Configs
v1.3.1Everything you need to build and publish MCP servers. Includes the MCP Server Development guide, agent commerce discovery patterns, and protocol interoperabi...
⭐ 0· 92·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill labels itself as a bundle of guides and code/templates for MCP server development. A documentation/template bundle normally should not require runtime access to secrets like a Stripe API key, an agent signing private key, or a wallet private key. The presence of those credentials is disproportionate to the stated purpose unless the skill actually performs automated publishing, payment setup, or signing — which is not documented.
Instruction Scope
SKILL.md is essentially metadata and a description; it lists credentials but contains no concrete runtime steps describing how those credentials will be used, what endpoints will be called, or what files will be read/written. That vagueness gives the agent broad discretion and increases risk: the skill could use secrets in any way without the user seeing explicit instructions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write or execute downloaded code on install. That lowers technical installation risk compared to skills that fetch binaries or archives.
Credentials
Requires four environment variables including STRIPE_API_KEY (primary), GREENHELIX_API_KEY, AGENT_SIGNING_KEY, and WALLET_ADDRESS. For a guide/templates bundle, requiring a payment processor key and especially an agent signing key and wallet (sensitive private credentials) is not justified by the metadata. AGENT_SIGNING_KEY implies access to a private signing key; users should never supply private keys unless they understand exactly how they will be used and stored.
Persistence & Privilege
The skill does not request always:true and does not provide an install script, nor does it claim to modify other skills or system-wide settings. Autonomous invocation is allowed by default (not flagged by itself) but combined with the credential requests this increases potential impact.
What to consider before installing
This appears to be a documentation/template bundle but it asks for multiple sensitive secrets. Before installing, ask the publisher why the skill needs each credential and request exact runtime steps showing how each secret is used, stored, and transmitted. Never provide your real agent signing private key or wallet private key without an audited, minimal-purpose implementation; use test keys or scoped API keys where possible. If the skill will perform automated publishing or payments, require a clear, verifiable workflow and consider running it in an isolated environment. If the publisher cannot explain why these secrets are needed, do not install it.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk9787gr13510st1mdsym7qgq7h84xbskbundlevk9787gr13510st1mdsym7qgq7h84xbskcodevk9787gr13510st1mdsym7qgq7h84xbskgreenhelixvk9787gr13510st1mdsym7qgq7h84xbskguidevk9787gr13510st1mdsym7qgq7h84xbsklatestvk9787gr13510st1mdsym7qgq7h84xbskmcpvk9787gr13510st1mdsym7qgq7h84xbskopenclawvk9787gr13510st1mdsym7qgq7h84xbskserver-developmentvk9787gr13510st1mdsym7qgq7h84xbskstarter-kitvk9787gr13510st1mdsym7qgq7h84xbsk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvSTRIPE_API_KEY, GREENHELIX_API_KEY, AGENT_SIGNING_KEY, WALLET_ADDRESS
Primary envSTRIPE_API_KEY