ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Site Mcp Consumer

v1.0.0

Wire one site-scoped read-only MCP sidecar to a local Campus Copilot snapshot.

0· 89·1 current·1 all-time
byYifeng[Terry] Yu@xiaojiou176

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaojiou176/site-mcp-consumer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Site Mcp Consumer" (xiaojiou176/site-mcp-consumer) from ClawHub.
Skill page: https://clawhub.ai/xiaojiou176/site-mcp-consumer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install site-mcp-consumer

ClawHub CLI

Package manager switcher

npx clawhub@latest install site-mcp-consumer
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described goal (wire a site-scoped read-only MCP sidecar to a local Campus Copilot snapshot) matches the SKILL.md steps. However, the skill does not declare required tooling or env vars even though the instructions expect them (e.g., pnpm and the CAMPUS_COPILOT_SNAPSHOT variable). This is an internal inconsistency rather than a capability mismatch.
!
Instruction Scope
SKILL.md instructs the agent to set CAMPUS_COPILOT_SNAPSHOT and to run pnpm --filter @campus-copilot/mcp-readonly start:<site>, and it references local example config files and an 'openclaw' config shape. The skill metadata declares no required env vars, binaries, or config paths — so the instructions access resources/config that weren't declared. While the actions described are limited to local snapshot wiring and read-only operations, the mismatch means an operator won't know what preconditions/tools are needed.
Install Mechanism
There is no install spec and no code files; this instruction-only skill does not write to disk or fetch remote code during install, which minimizes install-time risk.
Credentials
No credentials or sensitive env vars are declared. The instructions do ask the user to point CAMPUS_COPILOT_SNAPSHOT at a JSON file (a path-like env var) which is not a secret but was not declared in requires.env. There are no requests for unrelated credentials — proportionality is acceptable but under-documented.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. Nothing in the metadata requests elevated or permanent presence or modifications to other skills.
What to consider before installing
This skill appears to do what it says (wire a local, read-only snapshot sidecar), but the SKILL.md references tools and an environment variable that aren't declared in the metadata. Before installing or using it: 1) verify you have pnpm and the named @campus-copilot sidecar package and binaries available locally; 2) confirm the intent and contents of CAMPUS_COPILOT_SNAPSHOT (it's a path to a JSON snapshot — ensure it contains only non-sensitive test data and not live credentials or tokens); 3) inspect the example config files referenced in the repo to ensure they don't contain secrets or unexpected remote endpoints; and 4) ask the publisher to update the skill manifest to declare required binaries (pnpm or the specific sidecar binaries) and the CAMPUS_COPILOT_SNAPSHOT env var so preconditions are explicit. These steps reduce operational surprises — the current mismatch is likely sloppy documentation, but it should be fixed before trusting the skill in production.

Like a lobster shell, security has layers — review code before you run it.

campus-copilotvk97fxbztxsn3m8edeza7xk95t584jd23latestvk97fxbztxsn3m8edeza7xk95t584jd23read-onlyvk97fxbztxsn3m8edeza7xk95t584jd23
89downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Yifeng[Terry] Yu@xiaojiou176
campus-copilotlatestread-only
Download

Site MCP Consumer

Use this skill when you want to wire one of the site-scoped read-only MCP sidecars into Codex, Claude Code, Claude Desktop, or another local MCP-capable runtime that should keep Campus Copilot on the snapshot-first side.

Pick the right surface first

  • If you need cross-site health, provider status, ask_campus_copilot, or export tools, start with the generic server examples under examples/integrations/ instead of a site sidecar.
  • If you only need one site's records from a snapshot, keep using this skill and @campus-copilot/mcp-readonly.

Inputs

  • one site name: canvas, gradescope, edstem, or myuw
  • one snapshot path such as examples/workspace-snapshot.sample.json
  • one local consumer that can launch a stdio MCP sidecar

Steps

  1. Choose one site MCP binary:
    • campus-copilot-mcp-canvas
    • campus-copilot-mcp-gradescope
    • campus-copilot-mcp-edstem
    • campus-copilot-mcp-myuw
  2. Point CAMPUS_COPILOT_SNAPSHOT at a snapshot JSON file.
  3. Run the sidecar with pnpm --filter @campus-copilot/mcp-readonly start:<site>.
  4. Start with get_site_overview, then move to the site-specific list tools.
  5. If your consumer wants a JSON config example, reuse:
    • examples/mcp/codex.example.json
    • examples/mcp/claude-desktop.example.json
    • examples/mcp/codex-repo-root.example.json
    • examples/mcp/claude-desktop-repo-root.example.json
  6. If your runtime is OpenClaw-style or another local operator shell, treat those config files as reusable only when it explicitly supports the same mcpServers shape. Otherwise, use the sidecar command directly and follow examples/openclaw-readonly.md.
  7. Keep all claims snapshot-scoped and read-only.

Good fit

  • inspect one site's current assignments, messages, or events
  • keep a coding-agent workflow grounded in one snapshot instead of raw browser state
  • test builder-side integration without reopening live campus sessions

Not a fit

  • live browser takeover
  • posting, replying, or submitting on external services
  • inventing a write-capable plugin contract

Recommended repo-local references

  • examples/integrations/codex-mcp.example.json
  • examples/integrations/claude-code-mcp.example.json
  • examples/mcp/claude-desktop.example.json
  • examples/mcp/codex-repo-root.example.json
  • examples/mcp/claude-desktop-repo-root.example.json
  • examples/openclaw-readonly.md

Comments

Loading comments...