Tolstoy MCP
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent action could change store widgets or publish content to connected commerce and advertising channels.
The skill exposes tools that can publish public/business content and delete or modify Tolstoy widgets. This is disclosed and matches the integration purpose, but the impact is significant.
Once connected, OpenClaw has access to Tolstoy's full tool set ... Create, update, publish, delete player and shopper widgets ... Publish assets to Instagram, TikTok Shop, Shopify, Meta Ads
Use explicit prompts, review outputs before publication, and avoid granting access to workspaces where unintended changes would be costly.
OpenClaw may continue to access the authorized Tolstoy workspace in later sessions until the authorization is revoked.
The skill relies on OAuth account authorization and keeps that authorization available after setup.
Select the workspace you want to connect ... Authorize the MCP client ... After authorization, the connection persists for future sessions.
Authorize only the intended Tolstoy workspace, prefer least-privileged accounts where possible, and revoke the OAuth connection when no longer needed.
Running the setup script changes the local OpenClaw configuration, including whichever path is selected by `OPENCLAW_CONFIG_PATH`.
The setup script is a local Node.js command that modifies the OpenClaw configuration file to add the Tolstoy MCP server.
config.mcpServers.tolstoy = TOLSTOY_MCP_ENTRY; ... fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n', 'utf8');
Review or back up your OpenClaw config before running setup, or use the manual configuration instructions if preferred.
Tolstoy-related prompts, workspace data, media, product information, and analytics may be sent to or retrieved through the remote Tolstoy MCP service.
The skill connects OpenClaw to a remote MCP server, so tool requests and Tolstoy account data flow through that external service.
"tolstoy": { "type": "http", "url": "https://apilb.gotolstoy.com/mcp/v1/mcp", "auth": "oauth" }Install only if you trust the Tolstoy MCP endpoint and are comfortable sharing relevant workspace data with that service.
Users have less provenance information from the registry view when deciding whether this package is the expected Tolstoy integration.
The registry metadata shown to the reviewer does not provide a source repository or homepage, even though the skill asks the user to authorize a Tolstoy-connected MCP integration.
Source: unknown; Homepage: none
Verify the publisher and Tolstoy documentation before granting OAuth access.