Idea Check
Security checks across malware telemetry and agentic risk
Overview
Idea Check is coherent, but it asks the agent to run a local command containing user-provided idea text and depends on an unpinned external MCP package.
Review the MCP package before configuring it, avoid submitting confidential project ideas, and prefer a safer version of the workflow that passes the idea text as a structured argument rather than interpolating it into a shell command.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A specially crafted idea containing quotes or shell metacharacters could potentially change what command is run in the user’s environment if the exec tool uses shell interpretation.
The skill tells the agent to place user-derived idea text inside a local exec command line, but does not specify safe quoting, escaping, or structured arguments.
"command": "mcporter call idea-reality.idea_check idea_text=\"<extracted idea description>\" depth=quick"
Use a structured tool invocation or argument array where possible, or explicitly require robust shell escaping/validation before inserting user text into the command.
The skill’s behavior depends on trusting the external idea-reality-mcp package and whatever version uvx resolves at setup or run time.
The skill depends on an external MCP server package executed through uvx, without a pinned version or included source code in the reviewed artifacts.
mcporter config add idea-reality --command "uvx idea-reality-mcp"
Install only from a trusted package source, consider pinning the MCP package version, and review the package’s source or provenance before use.
Confidential or unreleased project ideas may be exposed as search queries or processed by the MCP server.
The user’s idea text is passed to an MCP server that performs searches across external services; this is purpose-aligned but creates a data-flow users should understand.
Scans GitHub, Hacker News, npm, PyPI, and Product Hunt ... mcporter call idea-reality.idea_check idea_text="<extracted idea description>"
Avoid using confidential details unless you trust the MCP server and are comfortable with the related external searches.