Substreams Search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears purpose-aligned for searching and inspecting Substreams packages, with normal cautions around running an npm MCP server, fetching user-supplied URLs, and optionally exposing an HTTP/SSE endpoint.

This skill looks reasonable for its purpose. Before installing, verify the npm package source, prefer local stdio or localhost HTTP mode, avoid exposing the SSE endpoint publicly, pass only trusted .spkg URLs, and review any generated sink deployment commands before running them.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing runs third-party package code on the user's machine.

Why it was flagged

The skill asks users to execute an npm package via npx. That is coherent for an MCP server, but it means installation depends on the published package and npm dependency chain.

Skill content

## Install

```bash
npx substreams-search-mcp
```

Recommendation

Verify the npm package/repository before use and prefer pinned or reviewed versions for sensitive environments.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If exposed to untrusted callers, the server could be made to fetch unexpected URLs.

Why it was flagged

Package inspection fetches a caller-supplied URL. This is expected for inspecting .spkg files, but it is still an outbound request capability controlled by tool input.

Skill content

return await fetchSubstream(url, { signal: controller.signal });

Recommendation

Use trusted .spkg URLs and do not expose the MCP server to untrusted clients without access controls.

#ASI01: Agent Goal Hijack

Low

What this means

A malicious package description could contain text that attempts to influence the agent if the agent treats returned documentation as instructions.

Why it was flagged

The tool returns documentation and metadata from external Substreams packages into the agent context. That content is purpose-aligned but untrusted.

Skill content

doc: pkg.packageMeta[0].doc || undefined

Recommendation

Treat package docs and metadata as data, not instructions, and review any generated commands before acting on them.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

If the SSE endpoint is exposed beyond a trusted local environment, other clients may be able to invoke the tools.

Why it was flagged

The skill can run an HTTP/SSE MCP endpoint for remote agents. The documentation does not describe authentication, though the example uses localhost.

Skill content

Supports **dual transport** — stdio for local clients and SSE/HTTP for remote agents

Recommendation

Keep the endpoint bound to localhost or protect it with network-level access controls when using HTTP/SSE mode.