MCP Server Pack
v1.0.0Managed MCP servers: filesystem-secure, memory-enhanced, github, postgres, websearch, rss. Provides connection details and auto-config for OpenClaw agents. S...
⭐ 0· 12·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README claims both cloud hosting and a self-hosted mode that 'downloads Docker images or binaries' and 'manages lifecycle', but the published skill is instruction-only with no install spec or code to perform downloads or lifecycle management. The examples also reference commands (docker, npx) and credentials (GITHUB_TOKEN, DB connection string) that are not declared in the skill metadata.
Instruction Scope
SKILL.md generates configs that include docker run commands with host volume mounts and an npx command that would fetch remote code at runtime. While the skill text doesn't explicitly read local files itself, the generated commands — if executed — can expose local filesystem paths and environment variables. The file also states the skill will 'manage lifecycle', which is unsupported by the package contents.
Install Mechanism
The skill contains no install spec (low technical risk in itself), yet the documentation claims the skill will download images/binaries for self-hosting. That claim is unsupported by the package. Additionally, the sample config uses 'npx -y mcp-github' which, when run by a user, will fetch and execute code from npm — a legitimate pattern but a runtime risk that should be made explicit.
Credentials
The skill refers to credentials (GITHUB_TOKEN, a Postgres connection string) and suggests how to create them, but the skill metadata lists no required env vars or primary credential. This omission is an incoherence: the generated configs will expect secrets, yet the skill does not declare or document how those secrets are provided or validated.
Persistence & Privilege
The skill is not always-enabled, allows user invocation, and does not request persistent system privileges. There is no install-time persistence or modification of other skills indicated in the package.
What to consider before installing
Do not assume the skill will automatically download or run server software — the published package contains only an instruction file. Before installing or running anything generated by this skill: 1) Ask the publisher for the install scripts or source code that implement the claimed 'self-host' lifecycle and verify them; 2) Inspect any docker-compose.yml or docker/npx commands the skill outputs before executing; avoid mounting sensitive host paths (do not run with -v /:/host or other broad mounts); 3) Provide credentials (GitHub PAT, DB strings) only with least privilege and only after you trust the code that will use them; 4) Prefer cloud access only if you trust the specified endpoint (wss://mcp.openclaw.ai) and verify the provider's identity and privacy terms; 5) If you need stronger assurance, request a concrete install spec (how images/binaries are obtained, checksums, official release URLs) or run initial tests in an isolated sandbox.Like a lobster shell, security has layers — review code before you run it.
databasefilesystemgithublatestmcpsearchserver
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
MCP Server Pack
One subscription gives you access to a curated set of production-ready MCP servers. No need to find, build, or maintain them yourself.
Included Servers
| Server | Purpose | Access |
|---|---|---|
| filesystem-secure | File system access with sandbox (chroot) | Read/write within allowed roots |
| memory-enhanced | Memory server with WAL + compaction survival | Persistent JSON store |
| github | GitHub API integration (issues, PRs, repos, search) | Requires GitHub token |
| postgres | PostgreSQL read-only queries | Requires DB connection string |
| websearch | Web search via DuckDuckGo + Brave | No API key needed |
| rss | RSS/Atom feed aggregator | Public feeds |
How It Works
Option A: Cloud Hosted (Subscription)
- We host the MCP servers on our infrastructure
- You get a unique connection URL (wss://mcp.openclaw.ai/server)
- No setup — just add to your OpenClaw
mcpconfig - Usage metered, included in $29/mo
Option B: Self-Hosted (Free with skill)
- The skill downloads Docker images or binaries
- You run them locally (Docker recommended)
- Skill provides
docker-compose.ymland manages lifecycle - No recurring fee, but you manage infrastructure
Tools
mcp_list
{}
Returns list of available servers with status (cloud_available, self_hosted_available, description).
mcp_config_generate
{
"servers": ["filesystem-secure", "github"]
}
Returns OpenClaw mcp configuration JSON:
{
"mcp": {
"servers": {
"filesystem-secure": {
"command": "docker",
"args": ["run", "-i", "--rm", "-v", "/path/to/allowed:/data", "openclaw/mcp-filesystem-secure"]
},
"github": {
"transport": "stdio",
"command": "npx",
"args": ["-y", "mcp-github"],
"env": {"GITHUB_TOKEN": "..."}
}
}
}
}
Pricing
- Cloud access: $29/mo per agent (unlimited server usage)
- Self-hosted: Free (you run the servers yourself)
Cloud includes:
- 24/7 uptime SLA (99.5%)
- Automatic updates
- Scalable throughput
- Support via ClawHub DM
FAQ
Q: Can I mix cloud and self-hosted?
A: Yes. Use mcp_config_generate to get configs for hybrid setups.
Q: Is data sent to cloud?
A: For cloud servers yes, but encrypted in transit (TLS). For filesystem, your data stays local unless you mount remote volumes.
Q: How do I get a GitHub token for github server?
A: Create a fine-grained PAT with issues:read, pull_requests:read, repo:status scopes.
Q: Can I add my own MCP servers?
A: Yes, the skill supports custom entries via mcp_config_append.
This pack turns MCP from a curiosity into a production integration platform.
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…