Back to skill
Skillv0.1.6
ClawScan security
Plati MCP Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 10:49 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (running a local plati-mcp server and querying it), but it asks you to install an unreviewed global npm package — review and sandbox that step before proceeding.
- Guidance
- This skill appears to do what it says, but before installing: 1) Verify the npm package (plati-mcp-server) on npmjs.org / its source repo and check publisher reputation and recent releases. 2) Prefer installing in a sandbox/VM or use a non-global install to limit host impact. 3) Inspect the package code (or its GitHub) if possible for network calls or credential access. 4) Be aware results may contain external links from sellers — treat links cautiously. 5) If you cannot vet the package, do not install it globally on a production machine.
Review Dimensions
- Purpose & Capability
- okThe name/description (search Plati via local MCP server) matches the instructions: install a plati-mcp-server npm package, run a local MCP server named plati-scraper, and call the find_cheapest_reliable_options tool with the listed parameters.
- Instruction Scope
- okSKILL.md confines runtime actions to installing/running a local MCP server and processing its results. It does not instruct reading unrelated system files, other credentials, or exfiltrating data to external endpoints beyond including links returned by MCP results.
- Install Mechanism
- noteThere is no registry install spec; the README instructs the user to run `npm i -g plati-mcp-server`. A global npm installation is a reasonable way to provide a local server but carries moderate risk because the package will run arbitrary code on the host. The package source/version are not verified in the skill.
- Credentials
- okThe skill declares no required environment variables or credentials. The only env var mentioned (PLATI_MCP_STDERR) is for debug logging and is not sensitive.
- Persistence & Privilege
- noteThe skill does not request always:true and is user-invocable. It asks the operator to configure a local MCP server in the agent config — this requires permission to run/launch local processes and to modify local agent config, which is expected for a local scraper but worth noting.