justinX
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent JustinX streaming-data MCP connector, but using it means trusting JustinX with API keys, stream credentials/data, webhook/WebSocket URLs, and any persistent watchers you create.
Install only if you trust JustinX as a hosted MCP provider. Use scoped API keys and broker credentials, protect webhook and WebSocket URLs, treat streamed payloads as untrusted input, and remove long-running watchers when they are no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must trust the hosted JustinX MCP service to run the listed tools safely and protect data sent through it.
The skill configures a hosted MCP server rather than shipping local code, so users rely on the JustinX service implementation that is not included in the reviewed artifacts.
"url": "https://api.justinx.ai/mcp"
Use this only if you trust the provider, and review the provider’s documentation and data-handling terms before connecting sensitive streams.
JustinX and the configured MCP client may be able to access the connected streams using the credentials you provide.
The skill requires a JustinX bearer token and documents optional private MQTT/Kafka credentials for connecting protected data sources.
"Authorization": "Bearer YOUR_API_KEY" ... username=myuser password=mypass ... saslUsername=user saslPassword=pass
Use least-privileged, revocable credentials, avoid production broker credentials unless necessary, and rotate keys if they are exposed.
Anyone or anything able to send to an ingest URL may influence stream contents, and anyone with a WebSocket URL may be able to view streamed data depending on JustinX access controls.
The skill creates webhook ingest URLs and WebSocket subscription URLs that move external data into agent-facing streams and generated applications.
create_connection type=webhook ... POST JSON to it and messages appear in the stream ... Pass the WebSocket URL to any generated React/Next.js/HTML app
Treat webhook payloads as untrusted, protect ingest and WebSocket URLs, and avoid embedding sensitive stream URLs in public client-side code.
A watcher can continue processing stream data or producing alerts after the initial setup task unless you remove it.
Watchers are long-running managed automations, though the documentation discloses them and provides list, update, restart, and delete controls.
Watchers are managed automations that continuously monitor a connection ... Each watcher is scoped to a single connection.
Periodically list active watchers and delete any that are no longer needed.