XferOps Forge
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Forge project-management skill, but it uses a Forge API token, runs an external MCP npm package, and can make significant project/admin changes.
Install this only if you trust the @xferops/forge-mcp package and the Forge workspace it targets. Use a least-privilege API token, consider pinning the MCP package version, and require explicit approval before deleting projects/columns or changing team membership.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make irreversible changes to Forge projects if given the wrong ID or insufficiently reviewed instructions.
The skill documents destructive Forge administration tools. This is disclosed and aligned with board administration, but deleting projects or columns can permanently remove business data.
`forge_delete_project projectId=<id>` ... `⚠️ Irreversible. All tasks and history are gone.`
Require explicit user confirmation before project deletion, column deletion, reordering, or team membership changes, and verify target IDs carefully.
Anyone or anything with access to this token may be able to act on Forge data according to the token's permissions.
The configured MCP server uses a Forge API token. This is expected for a Forge integration, but it grants account/API authority and is not surfaced in the registry credential declarations.
`"FORGE_TOKEN": "your-api-token"`
Use a least-privilege Forge token, store it securely, rotate it if exposed, and avoid giving the skill broader project or team permissions than necessary.
If the npm package or a future version were compromised, it could affect the Forge account connected through the configured token.
Setup runs an external npm package as the Forge MCP server without a version pin. This is purpose-aligned, but package provenance and future updates matter because the server receives the Forge token.
`npx -y @xferops/forge-mcp`
Install only from a trusted package source, consider pinning an approved version, and review the package before giving it a privileged Forge token.