ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloud Phone Agent

v0.0.2

Use mcporter to call cpc-mcp-server AutoJS Agent tools for cloud Android task execution and result retrieval.

0· 1k·1 current·1 all-time
by@sav7ng
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill describes cloud Android automation via cpc-mcp-server and only requires the mcporter CLI plus a single API key (CLOUDPHONE_API_KEY). Those requirements are proportionate and expected for a skill that routes requests through a generic MCP caller.
Instruction Scope
SKILL.md confines instructions to using mcporter to call cpc-mcp-server tools and to set Authorization: Bearer <API_KEY>. It does not instruct reading unrelated files or other environment variables. However, the mcporter tool supports arbitrary HTTP/stdio calls and JSON args — so the agent will be capable of transmitting user-provided scripts/data to remote endpoints (expected for this use-case, but a potential data-exfiltration vector if misused).
Install Mechanism
Install is an npm/node package ('mcporter'). Using a public npm package is a reasonable choice but carries typical registry risks (supply-chain/malicious publish). The skill metadata does not include a homepage/source URL beyond a README hint; verify the npm package identity and provenance before installing.
Credentials
Requires a single credential, CLOUDPHONE_API_KEY, which directly maps to the described Authorization header use. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
No special persistence requested (always:false). The skill is user-invocable and can be invoked autonomously by the agent (platform default) but does not request elevated agent-wide privileges or modify other skills/config.
Assessment
This skill appears internally consistent: it needs the mcporter CLI and an API key to call cpc-mcp-server and run AutoJS tasks. Before installing, verify the 'mcporter' npm package comes from a trusted publisher (check the package page, maintainer, and recent release history); ensure CLOUDPHONE_API_KEY has the least privileges necessary and is scoped/rotated; avoid passing sensitive secrets or PII in task instructions; and consider limiting autonomous use (or requiring user confirmation) if you don't want the agent to call remote devices without explicit approval.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📱 Clawdis
Binsmcporter
EnvCLOUDPHONE_API_KEY
Primary envCLOUDPHONE_API_KEY

Install

Install mcporter (node)
Bins: mcporter
npm i -g mcporter
latestvk9709ephs8qdjsjpk0p2gnsfts80xapr
1kdownloads
0stars
2versions
Updated 6h ago
v0.0.2
MIT-0
@sav7ng
latest
Download

What this skill does

cloudphone guides the agent to run Android automation tasks in a cloud phone environment by calling cpc-mcp-server tools through mcporter.

It is designed for:

  • AutoJS-based cloud phone automation
  • App regression / smoke test execution
  • Remote batch operation workflows
  • Scripted interaction on cloud Android devices

When to use this skill

Use this skill when the user asks for actions such as:

  • “Run a script on a cloud phone”
  • “Use AutoJS to automate this app flow”
  • “Execute Android UI steps remotely and return screenshots/logs”
  • “Use cpc-mcp-server for cloud-device automation”

When NOT to use this skill

Do not use this skill for:

  • Local ADB/emulator automation (non-cloud devices)
  • iOS automation (e.g., XCUITest)
  • Static script/code review without real device execution
  • Pure consulting requests without executable task goals

Required prerequisites (must pass before execution)

Before any call, ensure authentication is configured correctly.

cpc-mcp-server requires:

  • Authorization: Bearer <API_KEY>

This skill standardizes the API key through:

  • CLOUDPHONE_API_KEY (required)

Requirements

  1. Set environment variable CLOUDPHONE_API_KEY.
  2. Ensure MCP server header injection is active before execution:
    • Authorization: Bearer $CLOUDPHONE_API_KEY
  3. Never hardcode or commit real keys in repo files, SKILL.md, or config JSON.

This skill defines naming and preconditions only.
Secret injection implementation is handled by runtime/environment config.

Invocation model (via mcporter)

This skill does not call MCP tools directly. It uses mcporter CLI to invoke tools on cpc-mcp-server.

Common command patterns:

  • List configured MCP servers:
    • mcporter list
  • Inspect server schema:
    • mcporter list cpc-mcp-server --schema
  • Call tool with JSON args (recommended):
    • mcporter call cpc-mcp-server.<tool> --args '<json>'

Prefer --args JSON for long instructions, multilingual text, and special characters.

Minimal input checklist (before creating tasks)

Collect these fields first (ask follow-up only if missing):

  1. Target app (name/package)
  2. Intended action (what to do)
  3. Success criteria (what counts as done)
  4. Expected output type (screenshot/log/text result)

Tool 1: Create task (createAutoJsAgentTask)

Goal

Create and dispatch an AutoJS Agent task, then obtain taskId (and possibly sessionId).

Recommended call

mcporter call cpc-mcp-server.createAutoJsAgentTask --args '{
  "instruction": "Open <APP_NAME> on cloud phone, log in with test account, navigate to Orders page, capture a screenshot, and return order count.",
  "lang": "en"
}'

Comments

Loading comments...