Back to skill
Skillv0.1.3
ClawScan security
AutoSend MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (connecting to AutoSend MCP via the mcporter CLI); nothing requested appears disproportionate or unrelated.
- Guidance
- This skill appears coherent: it asks you to install the mcporter CLI and authenticate to AutoSend via OAuth, which is expected. Before installing, verify the mcporter npm package and its GitHub repo for legitimacy and recent maintenance (review package metadata, repository, and any postinstall scripts). Be aware OAuth tokens will be stored at ~/.mcporter/autosend/tokens.json — treat that file as sensitive (restrict filesystem permissions and inspect contents). Prefer the desktop/browser auth flow to avoid manual handling of tokens if possible. If you plan to let the agent call the skill autonomously, remember mcporter will make network calls to the AutoSend MCP server using your tokens; only enable that if you trust the service and the environment. If you want extra caution, run the install and initial auth in an isolated environment (VM/container) and review the mcporter binary before granting broader use.
Review Dimensions
- Purpose & Capability
- okName/description (AutoSend MCP via mcporter) align with required binaries and installation (mcporter npm package). The listed tools and CLI calls in SKILL.md directly map to managing campaigns, templates, contacts, and analytics on the AutoSend MCP server.
- Instruction Scope
- okSKILL.md only instructs installing mcporter, adding the AutoSend MCP server, performing the OAuth flow (desktop or headless), and calling mcporter verbs. It does not direct the agent to read unrelated system files, environment variables, or transmit data to endpoints outside AutoSend/mcporter. It does instruct storing tokens in ~/.mcporter/autosend/tokens.json (expected for OAuth clients).
- Install Mechanism
- noteInstallation is via npm (npm install -g mcporter). This is a common install route and consistent with needing the mcporter binary, but npm packages carry moderate risk compared to vetted system packages — verify the mcporter package source, maintainer, and that no unexpected postinstall scripts run.
- Credentials
- noteNo environment variables or external credentials are requested by the skill metadata. The OAuth tokens are expected to be stored locally under ~/.mcporter/autosend/tokens.json — this is proportional to the purpose but is sensitive data; the skill does not ask for other unrelated secrets.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings beyond creating/using the mcporter binary and its own config/token files. Agent autonomous invocation is allowed by default but not excessive here.