Back to skill
Skillv1.0.0
ClawScan security
Transition MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:33 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions are coherent with a multisport coaching API, but the package metadata omits important requirements (API key and build/runtime binaries), which is an inconsistency you should understand before installing.
- Guidance
- This skill appears to implement what it claims (calls Transition API endpoints and provides MCP server tools), but the package metadata is incomplete: it does not declare the TRANSITION_API_KEY env var or the need for the Go toolchain even though both are required by the included code. Before installing or running: 1) Verify you trust https://transition.fun and the skill author (source is 'unknown' in registry). 2) Expect to supply TRANSITION_API_KEY (starts with tr_live_); store it securely (avoid committing to repo). 3) If you plan to run the MCP server locally, ensure you have the Go toolchain and inspect dependencies (github.com/modelcontextprotocol/go-sdk). 4) If you only want unauthenticated features, use the free /wod endpoint (no API key). 5) Ask the publisher to correct the metadata (declare required env vars and required binaries) or provide a signed release binary to simplify verification. If you are uncomfortable with building/running third‑party code that performs network calls to an external API, do not install and instead use the unauthenticated curl examples against the public endpoints.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md and included Go code clearly expect a TRANSITION_API_KEY (and optionally TRANSITION_API_URL) and provide an MCP server implementation; however the registry metadata lists no required environment variables or binaries. The presence of mcp/*.go files implies you need a Go toolchain and the modelcontextprotocol go-sdk to build/run — these are not declared in metadata.
- Instruction Scope
- okRuntime instructions (SKILL.md, README, examples) stay within the advertised purpose: calling https://api.transition.fun endpoints, polling generation status, and using the API key for authenticated calls. There are no instructions to read unrelated system files or exfiltrate data beyond the Transition API. The README does show how to add the API key to a shell profile or an MCP config file (which stores the key locally).
- Install Mechanism
- noteThere is no formal install spec (instruction-only), but source code is bundled (Go). Building the MCP server requires 'go build' and pulling dependencies (github.com/modelcontextprotocol/go-sdk/mcp). The absence of an install spec/binary declaration is a packaging inconsistency (not necessarily malicious) and means a user who follows the README will compile/run code locally.
- Credentials
- concernOnly one real credential is required by the code: TRANSITION_API_KEY (and an optional TRANSITION_API_URL). The registry metadata incorrectly lists no required env vars or primary credential. That omission is disproportionate and misleading — the skill will only function for personalized features if you provide the API key, and the README/SKILL.md direct you to store it in shell/profile or an MCP config file.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not modify other skills or system-wide settings. Running the MCP server registers tools/resources for an MCP client, but that is standard for this type of skill and is limited to the local process when you run it.