ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Prooflane MCP Skill

v0.1.0

Clone, install, configure, and run Prooflane's repo-native MCP server locally for evaluation and verification without published package registry dependencies.

0· 109·0 current·0 all-time
byYifeng[Terry] Yu@xiaojiou176

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaojiou176/prooflane-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Prooflane MCP Skill" (xiaojiou176/prooflane-mcp) from ClawHub.
Skill page: https://clawhub.ai/xiaojiou176/prooflane-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install prooflane-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install prooflane-mcp
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions align: the skill is an instruction-only scaffold to clone, install, configure, and run a repo-native MCP server. Required tools (git, Node.js, pnpm, Python) and the commands shown are consistent with that purpose. However, the canonical repo is hosted under an apparently personal/unknown GitHub account (xiaojiou176-open), which reduces provenance confidence.
!
Instruction Scope
SKILL.md explicitly instructs running remote install and runtime scripts from the cloned repo (./scripts/setup.sh, pnpm mcp:start and other pnpm tasks). Those commands will execute code that lives in the external repository; the skill provides no packaged code to inspect and does not sandbox or limit what those scripts do. This is expected for the stated goal but is a scope risk because arbitrary code execution is required.
Install Mechanism
There is no install spec in the skill packet (instruction-only), which is lower automation risk. However, the install path requires cloning a third-party GitHub repository and running its setup/start scripts. Downloading and executing code from an external repo is higher risk than a purely local or vetted package install — verify the repo and scripts first.
Credentials
The skill does not request any secrets or environment variables in the manifest. The documented env vars (UIQ_MCP_API_BASE_URL, UIQ_MCP_TOOL_GROUPS, UIQ_MCP_PERFECT_MODE, and optionally AUTOMATION_API_TOKEN) are reasonable and relevant to running a local MCP server. AUTOMATION_API_TOKEN is optional and only needed if the server exposes token-protected HTTP APIs.
Persistence & Privilege
The skill is not always-enabled, does not require platform-level privileges, and is instruction-only (it does not persist credentials or modify other skills). Autonomous invocation remains possible (default), but that is the platform norm and not by itself a reason to flag.
What to consider before installing
This packet is coherent for its stated purpose, but before you run anything: (1) inspect the upstream repository and the contents of ./scripts/setup.sh and any pnpm scripts referenced (pnpm mcp:start, mcp:check, etc.) to check for unexpected network calls, remote downloads, or privileged operations; (2) prefer cloning a specific commit/tag (pin the repo) rather than the default branch; (3) run the setup and server inside an isolated environment (VM or disposable container) and not on production hosts; (4) avoid supplying any sensitive credentials or tokens unless you audited how they are used; (5) if you need higher assurance, ask the publisher to provide a signed release, a verified organization repository, or a published package on a trusted registry so you can avoid running unreviewed repository scripts. If you can provide the contents of the repo (or the specific scripts referenced), I can re-evaluate with higher confidence.
!
references/OPENCLAW_MCP_CONFIG.json:11
Install source points to URL shortener or raw IP.
!
references/OPENHANDS_MCP_CONFIG.json:10
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

automationvk97fw84j3w2bng5rvyts3v0rxs84h73platestvk97fw84j3w2bng5rvyts3v0rxs84h73pmcpvk97fw84j3w2bng5rvyts3v0rxs84h73pproofvk97fw84j3w2bng5rvyts3v0rxs84h73pprooflanevk97fw84j3w2bng5rvyts3v0rxs84h73previewvk97fw84j3w2bng5rvyts3v0rxs84h73p
109downloads
0stars
1versions
Updated 2w ago
v0.1.0
MIT-0
Yifeng[Terry] Yu@xiaojiou176
automationlatestmcpproofprooflanereview
Download

Prooflane MCP Skill

Use this skill when an agent needs to clone, install, configure, verify, and use Prooflane's current MCP and local product surfaces without overclaiming package-registry or hosted distribution that does not exist yet.

Use When

  • You want to evaluate Prooflane from the canonical public repository.
  • You want to connect Codex, Claude Code, OpenClaw, or another MCP-capable client to Prooflane's repo-native MCP server.
  • You need a truthful walkthrough for local UI first-look, MCP setup, and governed run verification.

Truthful Boundaries

  • Prooflane is public and distribution-ready on GitHub today.
  • The MCP server is real and repo-native today.
  • The package shape @uiq/mcp-server / prooflane-mcp is publish-ready, but it is not published to npm yet.
  • MCP today means stdio only.
  • Local stdio startup does not use OAuth; protected HTTP/API and automation surfaces keep the existing token/header contract.
  • Prooflane is not currently a hosted SaaS service.
  • This skill is a generic in-repo scaffold. It is not a published skill marketplace artifact yet.

Prerequisites

  • Git
  • Node.js 20+
  • pnpm
  • Python 3.12+
  • A local shell session inside the cloned ui-automation-control-plane checkout

Canonical Repo

git clone https://github.com/xiaojiou176-open/ui-automation-control-plane.git
cd ui-automation-control-plane

Install

./scripts/setup.sh

If you already trust the workspace toolchain and only need JS dependencies:

pnpm install

First Local Product Win

Launch the local stress-lab shell:

./scripts/dev-up.sh

What success looks like:

  • Command Center on http://127.0.0.1:17373
  • API health on http://127.0.0.1:17380/health/
  • A visible Stress Lab surface with Runs & Blocks, Flow Studio, and Advanced Review

Repo-Native MCP Start (Today)

Start the current repo-native MCP server from your cloned checkout:

pnpm mcp:start

This is the truthful installation path today.

Publish-Ready Package Shape (Not Published Yet)

Once the MCP package is actually published, the intended command shape is:

npx -y @uiq/mcp-server

or:

pnpm dlx @uiq/mcp-server

Do not claim this package is published until registry publication really happens.

Minimal MCP Client Configuration

Repo-native today

{
  "mcpServers": {
    "uiq": {
      "command": "pnpm",
      "args": ["mcp:start"],
      "cwd": "/absolute/path/to/ui-automation-control-plane",
      "env": {
        "UIQ_MCP_API_BASE_URL": "http://127.0.0.1:18080",
        "UIQ_MCP_TOOL_GROUPS": "advanced,analysis,proof"
      }
    }
  }
}

Publish-ready package shape (not live yet)

{
  "mcpServers": {
    "uiq": {
      "command": "npx",
      "args": ["-y", "@uiq/mcp-server"],
      "env": {
        "UIQ_MCP_API_BASE_URL": "http://127.0.0.1:18080",
        "UIQ_MCP_TOOL_GROUPS": "advanced,analysis,proof"
      }
    }
  }
}

Environment Variables

  • UIQ_MCP_API_BASE_URL Use this to point MCP at a different backend lane.
  • UIQ_MCP_TOOL_GROUPS Use this to opt into optional MCP tool groups.
  • UIQ_MCP_PERFECT_MODE Keeps stricter MCP defaults.
  • AUTOMATION_API_TOKEN Needed only when token-protected HTTP/API surfaces are enabled.

Minimal Verification

Run these from your cloned ui-automation-control-plane checkout:

pnpm mcp:check
pnpm mcp:build
pnpm mcp:package:smoke
pnpm mcp:doc:contract
pnpm mcp:smoke

Expected result:

  • TypeScript check passes
  • build emits services/mcp-server/dist/
  • package smoke keeps the stdio server alive through startup
  • docs contract passes
  • MCP smoke passes

Start here

  1. Read references/INSTALL.md
  2. Load the right host config from:
  3. Skim the tool surface in references/CAPABILITIES.md
  4. Run the first review loop from references/DEMO.md
  5. If attach or proof fails, use references/TROUBLESHOOTING.md

Comments

Loading comments...