ClawHub

Tencent Docs Mcporter

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent mcporter CLI helper that can access MCP services and change auth/config state, so it is acceptable but should be used deliberately.

Before installing, understand that this gives your agent a convenient way to call MCP tools, authenticate to services, edit mcporter configuration, run stdio server commands, and start a daemon. Use explicit approval for auth, config changes, arbitrary URLs, stdio commands, and daemon operations, especially when connected MCP servers can modify external accounts or private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is very broad and covers listing, configuring, authenticating, direct server calls, ad-hoc servers, and config edits without defining when each action is appropriate or what safety checks should precede them. In an agent setting, this ambiguity can lead to overbroad tool use, including unintended network access, credential flows, or local state changes beyond user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation exposes operations that can modify local configuration, initiate authentication, contact external MCP endpoints, and execute stdio-backed servers, but it does not warn that these actions can affect external systems, create or alter local state, or expose sensitive data. Without clear warnings, an agent or user may treat these as routine read-only operations and trigger impactful side effects unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal