ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PracticePanther API MCP

v1.0.0

MCP server for the PracticePanther legal practice management API. Exposes PracticePanther's REST API as read-only MCP tools.

0· 228·0 current·0 all-time
byMike Quinlan@mjquinlan2000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to expose the PracticePanther REST API as read-only MCP tools, which reasonably implies the server will need PracticePanther API credentials. However, requires.env lists only NODE_MCP_SECRET_KEY (presumably an MCP auth secret) and no PracticePanther API key/token. It's unclear how the MCP server will authenticate to PracticePanther or where those credentials are supplied. That missing linkage is an unexplained inconsistency.
Instruction Scope
SKILL.md contains only concise usage instructions for mcporter (list/call) and a link to an npm package. It does not instruct the agent to read unrelated files, environment variables, or system paths, nor to transmit data to unexpected endpoints. The runtime instructions themselves stay within the declared MCP usage boundary.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That limits what was statically analyzable (scanner had nothing to inspect). The SKILL.md points to an npm package but does not provide an install step; the user must obtain the required 'practicepanther-mcp' binary themselves. That lack of provenance increases risk because the binary could come from an untrusted source.
!
Credentials
Only NODE_MCP_SECRET_KEY is declared as required. An MCP server secret is plausible, but a tool that proxies PracticePanther's API would normally require PracticePanther credentials (API key/token) or document where those are provided. The absence of declared PracticePanther credentials or config paths is disproportionate to the stated purpose and leaves unanswered how external API auth is handled.
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills or system settings, and declares no config paths. It appears to have normal, ephemeral privileges consistent with an optional MCP helper.
What to consider before installing
Before installing or running this skill: 1) Verify the provenance of the practicepanther-mcp binary (inspect the npm package @mjquinlan2000/practicepanther-mcp source and maintainer). 2) Ask the publisher how PracticePanther API credentials are supplied and stored — do not assume they are unnecessary; you should never provide your PracticePanther API key unless you understand where it will be stored and used. 3) Treat NODE_MCP_SECRET_KEY as sensitive — confirm it is only used locally and not exfiltrated. 4) Prefer installing from trusted package registries and reviewing package code (or running in an isolated environment) before granting network access. 5) If the publisher cannot explain where PracticePanther credentials live or provide a verifiable source/homepage, consider this skill suspicious and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nj5yja79b9gpwqq8ry4cr982m203

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter, practicepanther-mcp
EnvNODE_MCP_SECRET_KEY

Comments