Flower
v1.0.4Manage projects and tasks with the Flower project management API via MCP. Use when creating, updating, or searching tasks/tickets, managing projects and colu...
⭐ 0· 578·0 current·0 all-time
byxferops@parker-xferops
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and listed tools (projects, tasks, columns, comments, users, notifications) are coherent: this is a Flower project-management client intended to be used via an MCP server. The SKILL.md describes relevant operations and parameters.
Instruction Scope
The SKILL.md instructs the agent/user to run `npx -y @xferops/flower-mcp` and to configure an MCP client with environment values including FLOWER_URL and FLOWER_TOKEN. Those runtime actions go beyond passive documentation: they download/run an npm package and require storing an API token in a config file. The instructions do not reference any unrelated files or credentials, but they do instruct persisting a token into `~/.mcporter/mcporter.json` which has confidentiality implications and should be called out.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to execute `npx -y @xferops/flower-mcp`. That will fetch and run code from the npm registry at runtime (supply-chain risk). This install method is common for ad-hoc tools but should be verified (package name, author, versions). The skill should ideally declare this dependency in metadata or provide a vetted release URL.
Credentials
The instructions require FLOWER_URL and FLOWER_TOKEN (the Flower API token) but the registry metadata lists no required environment variables or primary credential. The token is a sensitive secret; the skill's manifest should declare it. The variables requested are appropriate for the stated purpose, but the omission in metadata is a mismatch and increases the chance users will inadvertently expose credentials.
Persistence & Privilege
always is false and there are no requests to modify other skills or system-wide settings. The only persistent change suggested is adding an MCP server entry (including the token) to the user's `~/.mcporter/mcporter.json`, which is reasonable for a client integration but has confidentiality implications noted above.
What to consider before installing
This skill appears to be a normal Flower↔MCP integration, but take these precautions before installing:
- Verify the package @xferops/flower-mcp on npm (publisher, recent releases, download count, source repository) before running `npx -y` — npx will fetch and run code from the network.
- Treat FLOWER_TOKEN as a secret: confirm where it will be stored (the instructions put it into `~/.mcporter/mcporter.json`) and whether that file is appropriately protected.
- Ask the skill publisher for a source/homepage or a pinned package version to avoid accidental upgrades to malicious code.
- Prefer running npx without `-y` initially so you can inspect what is downloaded, or install a specific vetted version instead of a floating/latest fetch.
- Because the registry metadata did not declare required env vars or a primary credential, be skeptical: the omission could be an oversight or sloppy packaging — ask the author to update the metadata to declare FLOWER_TOKEN and FLOWER_URL.
If you need this integration and can verify the npm package and protect your token, the skill is usable; otherwise hold off until the publisher provides verifiable source and correct metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk979e21b42fjp1m93y02wh455n81gnkh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.