v1.3.0

Substreams Search

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:20 PM.

Analysis

The skill mostly matches its Substreams search purpose, but it can fetch arbitrary package URLs and relies on npm-executed code whose built entrypoint is not present in the provided artifacts.

GuidanceBefore installing, verify the npm package or repository, avoid exposing the SSE/HTTP endpoint to untrusted networks, restrict package URLs to trusted sources, and carefully review any generated sink or database commands before running them.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

src/index.ts

doc: pkg.packageMeta[0].doc || undefined

Package documentation from external .spkg files is returned to the agent. This is purpose-aligned, but the agent should treat that text as untrusted package data rather than instructions.

User impactA malicious package description could try to influence the agent if the user or agent over-trusts returned documentation.

RecommendationTreat package metadata and docs as data only, and do not follow instructions embedded in returned package text.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

src/index.ts

url: z.string().describe("Direct URL to a .spkg file") ... return await fetchSubstream(url, { signal: controller.signal });

The inspect-style tools accept a caller-controlled string and use it for an outbound fetch, with no visible scheme or host allowlist in the provided code.

User impactIf exposed to an untrusted agent or network, the server could be made to request unexpected URLs, including non-registry or internal addresses.

RecommendationRestrict package URLs to trusted HTTPS hosts such as spkg.io or substreams.dev, and require review or approval for non-standard URLs.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

package.json

"bin": { "substreams-search-mcp": "build/index.js" }, "files": [ "build" ]

The npm executable points to build/index.js, but the provided file manifest lists source files and does not include that built entrypoint, creating a gap between reviewed artifacts and what npx would execute.

User impactThe code run through npx may not be the same as the source files shown in the skill artifacts.

RecommendationInstall only from a trusted package source, verify the npm tarball or repository, and include or pin the built entrypoint in reviewed artifacts.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

get_sink_config — Analyze sink configuration, extract SQL schemas, and generate ready-to-run CLI commands

The skill generates setup/run commands for sinks. It does not execute them, but those commands may affect databases or deployments if copied into a shell.

User impactA bad generated command or untrusted sink configuration could cause unwanted deployment or database changes if run without review.

RecommendationReview generated install, setup, SQL, and run commands before executing them, especially against production systems.

Human-Agent Trust Exploitation

SeverityInfoConfidenceMediumStatusNote

README.md

Analyze a package's sink configuration and generate ready-to-run CLI commands.

The phrase 'ready-to-run' may encourage users to paste generated commands directly, even though the commands are derived from inspected package data.

User impactUsers may over-trust generated commands and run them without checking endpoints, schemas, or sink settings.

RecommendationTreat generated commands as drafts and verify all flags, endpoints, and database targets before use.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

src/index.ts

const doc = pkg.moduleMeta[index]?.doc || undefined;

External module documentation is inserted into tool results. This is useful for inspection, but it is retrieved context that could be misleading or adversarial.

User impactUntrusted package metadata could contaminate the agent's working context if treated as authoritative.

RecommendationKeep returned package text separate from instructions and avoid storing or reusing it as trusted memory.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

README.md

Supports dual transport — stdio for local clients and SSE/HTTP for remote agents ... "url": "http://localhost:3849/sse"

The skill supports an MCP SSE/HTTP endpoint for remote agents, but the documentation does not describe authentication, origin checks, or network exposure controls.

User impactIf the HTTP/SSE endpoint is exposed beyond localhost, other clients may be able to invoke the read-only tools and trigger outbound package URL fetches.

RecommendationKeep the endpoint bound to localhost unless needed, and use network access controls or authentication for remote deployments.