ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shaper

v1.0.0

Connect to a Shaper (useshaper.com) workspace via MCP to execute Shape Up methodology as an AI agent. Use when the user wants an agent to work inside their S...

0· 184·0 current·0 all-time
by@jax-agent

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jax-agent/shaper.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shaper" (jax-agent/shaper) from ClawHub.
Skill page: https://clawhub.ai/jax-agent/shaper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shaper

ClawHub CLI

Package manager switcher

npx clawhub@latest install shaper
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only connector for the Shaper MCP API and its documented API calls (get_active_work, get_pitch_context, create_scope, update_scope_hill_position, complete_scope) align with the stated Shape Up workspace workflow. However, the included reference also exposes an unauthenticated agent_register call that issues api_key values — this capability is not mentioned in the top-level SKILL.md instructions and is potentially surprising.
!
Instruction Scope
SKILL.md instructs the agent to use a workspace API key and suggests exporting SHAPER_API_KEY and SHAPER_WORKSPACE_SLUG or asking the user to provide them. Those env vars are referenced in runtime examples but are not declared in the skill metadata. The instructions permit reading full pitch documents and updating/completing scopes (expected), but they do not document the agent_register tool which can create workspaces and return an api_key without auth — this expands the agent's possible behavior beyond what's described and could be used to create credentials autonomously.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be written to disk by an installer.
!
Credentials
The skill metadata lists no required env vars, yet the SKILL.md examples instruct using SHAPER_API_KEY and SHAPER_WORKSPACE_SLUG. Requiring a workspace API key is reasonable for this integration, but the mismatch between declared and used environment variables is a coherence issue. Additionally, the references show agent_register returns an api_key without authentication, which could be used to obtain credentials programmatically; that broadens the set of secrets the agent can acquire and use.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. Autonomous model invocation is allowed by default (normal for skills). There is no indication it modifies other skills or system-wide configs.
What to consider before installing
This skill is largely coherent with its stated purpose (acting inside a Shaper workspace), but there are some red flags you should consider before installing: - Credential handling mismatch: The SKILL.md instructs using SHAPER_API_KEY and SHAPER_WORKSPACE_SLUG (examples show exporting them), but the skill metadata declares no required env vars. Ask the publisher to explicitly declare required env vars in metadata so you can audit what secrets the skill will use. - Unauthenticated agent registration: The included references/tools.md documents an agent_register endpoint that requires no auth and returns an api_key and claim_url. That lets an agent create a workspace and obtain credentials autonomously — confirm whether the skill will call this endpoint automatically. If it does, an agent could create and use credentials without you providing them, which may be unexpected. - Least privilege: Only provide a workspace API key when needed, and prefer creating an ephemeral/test workspace for first use rather than giving access to production data. Do not put API keys into shared shell init files or public logs. - Ask the publisher to clarify: 1) whether the skill ever calls agent_register, 2) whether it stores or transmits the API key elsewhere, and 3) update metadata to list the env vars it actually uses. If the publisher cannot or will not clarify, treat the skill as higher risk and test in an isolated workspace. If you proceed, restrict the API key to a workspace with minimal sensitive data and monitor actions the agent takes (scopes created/completed, hill updates).

Like a lobster shell, security has layers — review code before you run it.

latestvk975a424fpe8kk26x8bxypt71x834p01mcpvk975a424fpe8kk26x8bxypt71x834p01project-managementvk975a424fpe8kk26x8bxypt71x834p01shapeupvk975a424fpe8kk26x8bxypt71x834p01
184downloads
0stars
1versions
Updated 14h ago
v1.0.0
MIT-0
@jax-agent
latestmcpproject-managementshapeup
Download

Shaper

Shaper is a Shape Up project management tool at useshaper.com. This skill connects you to a workspace via MCP (JSON-RPC 2.0) so you can act as an agent inside a human's Shape Up cycle.

Setup

Get the API key from: https://useshaper.com/<workspace-slug>/settings → "Connect Agents" → Generate API key.

Store it:

export SHAPER_API_KEY="shp_..."
export SHAPER_WORKSPACE_SLUG="your-slug"

Or ask the user to provide it directly.

Core Workflow

Always orient before working:

  1. Call get_active_work — see current cycle, pitches in flight, all scopes + hill positions
  2. Call get_pitch_context on the relevant pitch — read the full spec before touching code
  3. Do the work
  4. Call update_scope_hill_position as you make progress (0.0 = not started → 0.5 = over the hill → 1.0 = done)
  5. Call complete_scope when a scope is finished

MCP Endpoint

POST https://useshaper.com/mcp
Authorization: Bearer <api_key>
Content-Type: application/json

JSON-RPC 2.0 format:

{"jsonrpc":"2.0","method":"tools/call","params":{"name":"<tool>","arguments":{...}},"id":1}

Essential Tools

Orient (use first)

curl -s -X POST https://useshaper.com/mcp \
  -H "Authorization: Bearer $SHAPER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_active_work","arguments":{}},"id":1}'

Returns: active cycle + all betting/bet pitches + all scopes with hill positions + completion summary.

Read a pitch spec

-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_pitch_context","arguments":{"pitch_id":"<ID>"}},"id":1}'

Returns: full pitch document — problem, solution, appetite, BDD scenarios.

Create a scope

-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"create_scope","arguments":{"cycle_id":"<ID>","title":"<title>","pitch_id":"<ID>"}},"id":1}'

Update hill chart position

-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"update_scope_hill_position","arguments":{"scope_id":"<ID>","position":0.5}},"id":1}'

Position is 0.0–1.0. Use 0.25 = figuring it out, 0.5 = over the hill (approach clear), 0.75 = mostly done, 1.0 = complete.

Complete a scope

-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"complete_scope","arguments":{"scope_id":"<ID>"}},"id":1}'

All Tools

See references/tools.md for full input schemas and all available tools.

Discovery

Full tool schemas: GET https://useshaper.com/.well-known/mcp.json

Comments

Loading comments...