MCP Apps
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The plugin mostly matches its stated MCP Apps purpose, but it exposes a broad gateway for running registered tools and its visibility role appears to be caller-supplied, so access controls need review.
Install only if you need MCP-App UI and gateway support. Limit gateway/operator.write access, treat registered tools and UI resources as trusted code/content, and configure any file-backed resources to narrow, non-sensitive directories.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A client or agent with access to this method could cause registered MCP-App tools to run, including tools that may have side effects.
The gateway handler executes a registered tool chosen by request parameters with caller-provided arguments. This is core to the plugin, but it is a broad execution surface without per-tool confirmation or argument enforcement in this layer.
const toolName = params.name as string; ... const toolArgs = (params.arguments ?? {}) as Record<string, unknown>; ... const result = await tool.execute(toolCallId, toolArgs);Use this only in environments where gateway write access is tightly restricted, and require registered tools to validate arguments and request confirmation for high-impact actions.
If users rely on MCP App visibility as a security boundary, a caller may be able to claim or omit a role in ways the artifacts do not clearly constrain.
The handler receives client context but uses the request's callerRole parameter for visibility decisions. The artifacts do not show that this role is derived from or checked against the authenticated client.
type GatewayMethodOpts = { params: Record<string, unknown>; ... client: { connect?: { scopes?: string[] } } | null; }; ... const callerRole = params.callerRole as "model" | "app" | undefined;Bind callerRole to authenticated gateway/client identity, or document that visibility is only a UI hint and must not be used to protect sensitive tools.
Users should understand that installing the plugin adds privileged gateway surfaces, especially the write-scoped tool-call method.
The plugin uses gateway authentication and operator scopes. That is expected for this kind of gateway plugin, but it means authorized clients receive delegated ability to list/read resources and call registered tools.
api.registerGatewayMethod("mcp-apps.tools.call", ... { scope: "operator.write" }); ... api.registerHttpRoute({ path: "/api/mcp-apps", ... auth: "gateway" });Review which clients can obtain operator.read and operator.write access before enabling the plugin.
A broadly configured registering tool could expose local file contents as UI resources through the gateway.
The resource registry can serve file-backed HTML resources selected by other registering tools. The code includes traversal and size checks, but the data boundary depends on the rootDir and relativePath supplied by those tools.
registerFile(params: { uri: string; name: string; rootDir: string; relativePath: string; ... }) ... const buf = await fs.readFile(candidate);Only allow trusted plugins to register file-backed resources, and keep resource roots narrow and dedicated to UI assets.