MCP Server Pack
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is purpose-aligned as an MCP server pack, but it can enable powerful file, credential, database, cloud, memory, Docker, and npm integrations with limited scoping and provenance detail.
Review this skill before installing. Only enable the MCP servers you need, prefer self-hosting for sensitive data, pin and verify any Docker images or npm packages, restrict file mounts and credentials, and do not accept a default-all generated config without manual review.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated config is accepted blindly, an agent could gain broad local and third-party service capabilities beyond what the user intended for a single task.
A read-only config generator can produce an MCP configuration for all servers by default, including file-write, account, and database access, without clearly defining approval gates, allowed paths, or containment.
servers: ... description: "Server names to include (default: all)" ... "filesystem-secure" | File system access with sandbox (chroot) | Read/write within allowed roots ... "github" ... Requires GitHub token ... "postgres" ... Requires DB connection string
Generate configs only for specific needed servers, review every MCP command and permission, set explicit filesystem allowlists, and avoid using the default-all configuration.
Running the suggested configuration could execute unreviewed third-party code on the user's machine with access to mounted files or supplied credentials.
The self-hosted workflow relies on remote Docker images or npm packages, but the artifacts do not pin versions or digests and provide no source or install spec for review.
The skill downloads Docker images or binaries ... "command": "docker", "args": ["run", "-i", "--rm", "-v", "/path/to/allowed:/data", "openclaw/mcp-filesystem-secure"] ... "command": "npx", "args": ["-y", "mcp-github"]
Use pinned image digests and package versions, verify publishers and source code, run containers with least privilege, and do not auto-run generated Docker or npx commands without review.
A misconfigured token or connection string could expose private repositories or database contents to the MCP server.
GitHub tokens and database connection strings are expected for these integrations, and the GitHub guidance is read-scoped, but these credentials still grant access to private account or database data.
"github" | GitHub API integration (issues, PRs, repos, search) | Requires GitHub token ... "postgres" | PostgreSQL read-only queries | Requires DB connection string ... Create a fine-grained PAT with `issues:read`, `pull_requests:read`, `repo:status` scopes.
Use least-privilege, read-only credentials; avoid broad GitHub PAT scopes; use a restricted database user; and rotate credentials if they are placed into generated configs.
Sensitive or incorrect information stored in memory could persist and influence later agent behavior.
The skill explicitly includes a persistent memory server, which is purpose-aligned but can retain information across tasks and be reused later.
"memory-enhanced" | Memory server with WAL + compaction survival | Persistent JSON store
Store only information you are comfortable retaining, review or clear memory periodically, and avoid placing secrets in persistent memory.
Data sent through cloud-hosted MCP servers may leave the local environment and be processed by the provider's infrastructure.
The cloud option sends MCP traffic to a hosted service. This is disclosed and TLS is mentioned, but it creates an external data boundary users should understand.
We host the MCP servers on our infrastructure ... You get a unique connection URL (wss://mcp.openclaw.ai/server) ... Is data sent to cloud? For cloud servers yes, but encrypted in transit (TLS).
Use self-hosting for sensitive data, confirm the provider and privacy terms, and avoid routing secrets or private files through cloud-hosted servers unless necessary.