ClawHub

Mcpsec

v1.0.4

Scan MCP server configuration files for security vulnerabilities using mcpsec (OWASP MCP Top 10). Use when: auditing MCP tool configs for prompt injection, h...

0· 98·0 current·0 all-time
byPaul Frederiksen@pfrederiksen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries, included script, and declared scan targets align: the wrapper discovers local MCP config files and runs the mcpsec binary to report findings. Nothing requested (no env vars or unrelated binaries) appears out of scope for a configuration scanner.
Instruction Scope
The SKILL.md and wrapper limit activity to reading local config paths and running mcpsec; the wrapper uses subprocess.run with shell=False and path sanitization. Important caveat: the skill cannot enforce the binary's runtime behavior — SKILL.md claims the binary makes no network calls per its source, but that must be independently verified. Also scan output can include sensitive secrets from configs (the wrapper prints results to stdout), so treat outputs as sensitive.
Install Mechanism
Instruction-only skill (no packaged installer). SKILL.md shows downloading pre-built releases from GitHub (a known host) and suggests verifying SHA256 checksums and/or building from source — this is an appropriate mitigation. The install commands provided are explicit about checksum verification; treat pre-built binaries from third parties as moderate supply-chain risk unless you verify.
Credentials
No environment variables, credentials, or configuration paths outside the stated scan targets are requested. The skill reads only local config files (which legitimately may contain API keys) and does not require unrelated secrets.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and is user-invocable only. It does not attempt to persist credentials or alter system configuration.
Assessment
This wrapper appears to do only what it says: run the mcpsec scanner against local MCP config files. Before installing or running: (1) verify the mcpsec binary provenance (check the published SHA256 checksum or build from source); (2) run the scanner in an isolated environment (container/VM) if you are concerned about supply-chain risk; (3) treat scanner output as sensitive because config files may contain API keys/tokens; and (4) if you need a guarantee that the binary makes no network calls, review and build its source yourself rather than relying on the pre-built release. If any of these steps are impractical, consider not installing the pre-built binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731k1a1e5xevs77w043fxgpd83jf1j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcpsec

Comments