St Ent Mcp
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do what it claims—querying 699pic enterprise asset APIs—but it uses an enterprise API key and a local MCP registration that users should verify before use.
Use this skill only with a trusted 699pic enterprise API key and endpoint. Set SERVICE_API_BASE_URL explicitly if the default is not your intended service, review scripts/openapi.js and any local st-mcp mcporter registration, and confirm the exact asset before generating download links.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls may access enterprise download records and generate asset download links using the configured account.
The script authorizes requests with an enterprise API key. This is purpose-aligned and disclosed, but it gives the skill authority to act under the user's 699pic enterprise account.
const API_KEY = process.env.SERVICE_API_KEY || ''; ... 'x-api-key': API_KEY,
Use only a trusted, scoped 699pic enterprise API key; verify SERVICE_API_BASE_URL before running; rotate the key if it is exposed.
An unintended call could generate a link or record activity for the wrong enterprise asset.
The CLI can request a download-link operation through the provider API. This matches the stated purpose, but users should ensure the target asset is intentionally selected.
case 'download-asset': { ... await request('/openapi/Down/asset', { asset_type, asset_id: id, file_type });Confirm the asset type and asset id with the user before invoking download-asset, as the SKILL.md already recommends.
Install-time metadata may not warn users that a credential and local tooling are needed.
The registry metadata under-declares requirements that SKILL.md and openapi.js require, including Node.js, optional mcporter use, and SERVICE_API_KEY.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Publisher should declare SERVICE_API_KEY, Node.js, and optional mcporter requirements in registry metadata; users should read SKILL.md before use.
If the local MCP registration points somewhere unexpected, user queries or API credentials could be sent to the wrong local command or service.
The MCP route depends on a local st-mcp registration that is not included in the artifact set, so its actual command, identity, environment, and permissions must be verified on the user's machine.
Confirm any local `mcporter` registration named `st-mcp` and review its config, command, env, and permissions.
Before using the MCP route, inspect the mcporter registration and prefer the reviewed bundled script if the registration cannot be verified.