Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mcp Client
v0.1.1MCP Client skill connects and manages MCP servers via stdio or SSE, supporting tool calls, resource reads, prompts, permission control, auditing, and error h...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description and code align: this is an MCP client implementing stdio and SSE transports and tool/resource calls. However the shipped configuration (src/mcp-config.json) contains a hardcoded GitHub token and Windows user workspace paths that are unrelated to the declared 'no env vars required' metadata. Having a baked-in GITHUB_TOKEN and host-specific paths is disproportionate to a generic client library and suggests leaked or environment-specific config bundled into the package.
Instruction Scope
SKILL.md and CLI instruct running npm install, starting npx-based MCP servers, and running tests that will attempt real connections and may read local files. The CLI implementation (src/mcp-skill.js -> cli()) constructs the skill with autoApprove: true and requireApproval: false and autoApprovePatterns ['*'], effectively disabling approval in that mode — this broad, implicit auto-approval increases risk of unintended tool/resource access. Tests and integration scripts reference absolute local paths (C:\Users\99236\.openclaw\workspace) and will try to read those if run.
Install Mechanism
There is no registry install spec in the metadata (instruction-only from registry), but the package includes package.json/package-lock.json so the intended install is npm install (documented in SKILL.md). Dependencies come from npm (including an MCP SDK). Using npm and npx to spawn servers is expected for this functionality, but running npx to fetch and execute packages will run remote code — standard for this domain but worth noting.
Credentials
Registry metadata declares no required env vars, yet src/mcp-config.json contains an explicit GITHUB_TOKEN value (looks like a personal access token) and server configs that use process.env.GITHUB_TOKEN as a fallback. The skill will merge server env into subprocesses, so any token in the config would be passed to child processes. Hardcoded credentials in the repo are disproportionate and a high-risk finding: treat the token as compromised and rotate immediately if it is real.
Persistence & Privilege
always: false (good). The skill exports a default instance (export const mcpSkill = new OpenClawMCPSkill()) which reads/writes its own mcp-config.json in the skill directory when imported — normal for a skill that stores config. The more concerning behavior is that the CLI mode auto-approves operations (see instruction_scope). The skill does not request elevated system privileges or attempt to edit other skills' configs.
What to consider before installing
Do not install or run this skill without cleaning the bundled configuration and reviewing behavior. Specific actions to take before use:
- Inspect src/mcp-config.json and remove or replace the hardcoded GITHUB_TOKEN. If that token is real, consider it leaked and rotate it immediately.
- Replace absolute/local paths (e.g., C:\Users\99236\.openclaw\workspace) with safe workspace-relative paths or placeholders.
- Avoid running the test scripts or the CLI in auto-approve mode until you understand the approvals: the CLI (when run directly) sets autoApprove: true and requireApproval: false and auto-approves '*', which will allow all tool/resource calls without prompts.
- Understand that npm / npx will fetch and execute packages (e.g., @modelcontextprotocol/server-*). Run in an isolated environment (container or VM) if you need to test.
- If you need GitHub access, configure tokens via environment variables at runtime (not commit them) and verify the code reads process.env rather than a baked-in value.
- If you already ran this package with the included token, rotate the token and check GitHub logs for suspicious activity.
- If you intend to use this as an OpenClaw skill, consider forking and removing sensitive defaults, disable auto-approve by default, and re-run security review before deployment.Like a lobster shell, security has layers — review code before you run it.
clientvk973tx4q395p7p5ekfgkg0v4hh83xcznlatestvk97bqhwae8m0qz8y5j3r04gfrd83ypp9mcpvk973tx4q395p7p5ekfgkg0v4hh83xcznprotocolvk973tx4q395p7p5ekfgkg0v4hh83xczntoolsvk973tx4q395p7p5ekfgkg0v4hh83xczn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.