Pub Mcporter
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mcporters Version: 1.0.0 The skill bundle is classified as suspicious primarily due to the inclusion of non-existent or future AI models (e.g., openai/gpt-5, bedrock/claude-4-6-opus, vertex/gemini-3) in its documentation, which indicates deceptive intent or a potential scam service. Additionally, the documentation frequently references an execution script (run.mjs) that is not included in the bundle, which would cause execution failures or lead the agent to perform unintended actions. There is also a functional inconsistency between the 'mcporter' CLI mentioned in the description and the 'SkillBoss' REST API (heybossai.com) documented in the files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use this skill to call powerful external tools directly, potentially bypassing safer, scoped workflows.
Direct MCP tool invocation can reach whatever configured MCP servers expose, but the artifacts do not show a server/tool allowlist, approval policy, or containment guidance.
description: "Use the mcporter CLI to list, configure, auth, and call MCP servers and tools directly."
Only enable this for trusted workflows; require explicit user approval before invoking MCP tools that mutate data, spend money, send messages, or access sensitive systems.
Misuse or mistaken invocation could send emails or SMS messages, creating privacy, spam, cost, or reputation impact.
These are outbound communication actions, including batch sends. The provided artifacts list them as callable tools but do not show visible recipient/message/count limits or confirmation requirements.
`email/send` | Send single email ... `email/batch` | Send batch emails ... `prelude/notify-send` | Send SMS notification ... `prelude/notify-batch` | Batch SMS notifications
Before using email or SMS models, require explicit confirmation of recipients, message body, send count, and expected cost; prefer a scoped or separate API key if available.
Anyone or any agent workflow with access to this key may be able to make provider calls under the user's account.
The skill uses a bearer API key to authorize SkillBoss/provider calls. This is expected for the integration, but it grants account and billing authority.
**Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`
Use a revocable, least-privilege key where possible, monitor usage/billing, and avoid sharing the key in prompts, logs, or generated files.
The command may fail, or a system could execute an unrelated local executable named run.mjs if one exists in the user's PATH.
The documentation references a local run.mjs helper, but the manifest contains no code files or install spec declaring that helper.
run.mjs --model openai/whisper-1 --file recording.m4a
Verify the source and contents of any mcporter/run.mjs helper before running it; prefer the documented curl API calls if the helper is not provided by the skill.
Sensitive input data may be processed by SkillBoss and selected third-party providers according to their policies.
The skill is explicitly a gateway to multiple external providers; user prompts, audio, images, or documents may be routed outside the local environment.
One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more). Call any model directly by ID, or use smart routing to auto-select...
Avoid sending secrets, private documents, or regulated data unless the provider terms and routing behavior are acceptable; choose explicit models/providers when routing matters.