MachineCommander
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mainly a machinery data query integration, but it also documents an unscoped command-sending function for construction equipment and accesses sensitive fleet/location data.
Review this skill before installing. It may be appropriate for authorized fleet telemetry queries, but confirm the MachineCommander MCP service is trusted, access-controlled, and tenant-scoped, and do not enable the command-sending function unless explicit approval and safety controls are in place.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could issue broad management instructions through the MachineCommander service if the user or model invokes this path incorrectly.
The skill documents a management/command path that takes an arbitrary order, without describing allowed operations, safeguards, or confirmation for potentially high-impact equipment actions.
### 发送指令 ```bash mcporter call MachineCommander manage_construction_machines 'order=你的指令' ```
Separate read-only query functions from management actions, require explicit user confirmation for any command, and document exact allowed operations and safety limits.
Users may not know which fleet, tenant, or project data the agent can access or whether it has authority beyond simple querying.
The skill uses an MCP service with access to live operational machinery data, while the artifacts do not define which account, tenant, project, or permission scope controls that access.
使用机械指挥官MCP服务查询工程机械和船舶的实时数据、状态和位置信息。
Document the authentication model, tenant/project scoping, and whether the skill is read-only or has operational command privileges.
Responses may reveal sensitive fleet locations, project associations, and movement history to whoever can use the skill.
The MCP service returns sensitive operational information such as live GPS location, tenant/project details, and movement history; this is purpose-aligned but privacy-sensitive.
- **设备位置**: 设备的实时GPS位置 - **项目信息**: 所属项目、租户等 - **历史轨迹**: 设备移动轨迹
Use the skill only where the MachineCommander MCP service is trusted and access-controlled, and avoid exposing returned telemetry to unauthorized users.
Users must rely on their existing environment and trust in the external MCP service because this package does not show how that service is installed or secured.
The review artifacts provide no provider homepage, source provenance, install specification, or implementation details for the referenced MachineCommander MCP service.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the MachineCommander MCP provider, its configuration, and its permissions before enabling the skill.