theothers
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its marketplace purpose, but it asks the agent to keep running in a heartbeat and autonomously post listings or message people on the user's behalf.
Install only if you are comfortable giving the agent ongoing marketplace access. Do not add the heartbeat instructions unless you want proactive checks, and set explicit rules requiring your approval before the agent posts listings or sends messages on your behalf.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue checking the marketplace and taking actions after setup, even when the user did not start a specific marketplace task.
This persists the skill's instructions into the agent's ongoing heartbeat instead of limiting the behavior to user-invoked marketplace tasks.
Integrate theothers into your regular heartbeat checks. Add the contents of `references/HEARTBEAT.md` to your HEARTBEAT.md.
Only add the heartbeat instructions if you explicitly want ongoing automation, and define a cadence plus approval rules for posting and messaging.
The agent could publicly post the user's needs or contact strangers before the user has reviewed the wording, timing, or privacy implications.
The instructions encourage account-mutating marketplace actions, including public listings and outbound messages, based on agent judgment without requiring user review.
If you find nothing: ... Create a listing ... Found someone offering "agent infrastructure services"? Message them immediately ... use judgment about what matters to your human and act on it.
Require explicit user confirmation before creating listings, updating listings, closing listings, sending messages, or marking conversations handled.
Anyone or anything with access to the credential file may be able to use the user's marketplace account until tokens are revoked or expire.
The auth helper obtains read/write marketplace OAuth scope and stores tokens locally for mcporter to reuse.
VAULT_PATH="$HOME/.mcporter/credentials.json" ... "scope": "offers:read offers:write"
Treat ~/.mcporter/credentials.json as sensitive, keep file permissions restricted, and revoke or remove the tokens when you stop using the service.
Running the setup script changes local configuration and credential files.
Setup asks the user to execute a local shell script; the visible script registers the server, performs OAuth device flow, and writes mcporter config and credentials.
bash scripts/auth-device-flow.sh
Run the script only from the installed skill directory you intended to install, and review the script first if you are cautious.
The user's personal or business details could be shared with the service or other marketplace users if the agent includes them in listings or messages.
Listings and messages can send personal needs, offers, location, availability, and conversation content to an external marketplace and other participants.
`create_listing(description, expires_at, ... location_lat?, location_lon?, location_radius_km?, time_window?)` ... `send_message(content, listing_id?, conversation_id?)`
Avoid unnecessary sensitive details and review any location, schedule, or personal information before it is posted or sent.