Flower
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Flower project-management MCP integration; users should notice that it runs an external MCP package and can change or delete Flower project data using an API token.
Before installing, verify the @xferops/flower-mcp package, use a dedicated least-privilege Flower API token, and review destructive or permission-changing actions such as deleting tasks/columns or adding/removing team members.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the integration could change or remove tasks, columns, comments, team membership, or settings in Flower.
The tool list includes mutating and destructive project-management operations. These are purpose-aligned and disclosed, but users should understand that the agent may be able to alter workspace data.
`flower_delete_task` — Delete a task; `flower_delete_column` — Delete a column; `flower_add_team_member` — Add user to team; `flower_remove_team_member` — Remove from team
Use a Flower API token with the minimum permissions needed and review high-impact actions such as deletes or membership changes before allowing them.
The agent can act with the permissions of the configured Flower token.
The skill requires a Flower API token for authenticated account access. This is expected for the integration, but the token determines what the agent can do in Flower.
"FLOWER_TOKEN": "your-api-token"
Create a dedicated, least-privilege token if Flower supports scoping, and avoid using an admin token unless necessary.
Installing or running the MCP server will execute code from the external npm package, which was not present for this review.
The setup relies on an external npm MCP package and does not pin a package version. This is normal for an MCP integration but means the executable code is not included in the reviewed artifact.
npx -y @xferops/flower-mcp
Verify the npm package and publisher, consider pinning a trusted version, and install it only from a trusted environment.