Deal Works Mcp
v0.1.0AI agent infrastructure for deals, escrow, attestations, and autonomous agents. 39 tools across 9 engines.
⭐ 0· 357·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and SKILL.md: the package exposes 9 engines / 39 tools for deals, escrow, agents, attestations and uses only node and an API key. Required binaries and the single env var (DEAL_WORKS_API_KEY) are appropriate for an HTTP client to an external SaaS.
Instruction Scope
SKILL.md instructs installing the npm package and setting DEAL_WORKS_API_KEY. The runtime code calls only the declared *.works service endpoints via HTTP and does not read unrelated files or additional environment variables. Tool handlers perform expected API requests for listed functionality.
Install Mechanism
Install is via an npm package (@swgoettelman/deal-works-mcp) which is expected for an MCP server. This is moderate risk compared to instruction-only skills (npm packages run code locally). Verify the package publisher and registry before installing. No remote arbitrary downloads or extract-from-URL patterns were detected.
Credentials
Only DEAL_WORKS_API_KEY is required and declared as the primary credential. The code explicitly uses process.env.DEAL_WORKS_API_KEY for Authorization. The API key is treated as granting broad scopes (auth.ts notes 'API key has all scopes'), which is consistent with the service but is sensitive—it is proportional but powerful.
Persistence & Privilege
Skill is not always-enabled, does not request system config paths, and installs its own binary only. It does not modify other skills or system-wide configs in the provided code. Autonomous invocation is allowed (default) but not combined with other red flags.
Assessment
This skill appears coherent and implements what it advertises, but take these precautions before installing:
- Verify the npm package publisher and the package name (@swgoettelman/deal-works-mcp) on the registry and confirm the linked GitHub repository matches the publisher.
- Confirm the deal.works / hq.works domains and documentation are legitimate and match the package's homepage/repo.
- Limit the DEAL_WORKS_API_KEY you provide (use least privilege / engine-scoped key if possible) because the code treats API keys as granting full scopes and the skill can perform fund/escrow/agent operations.
- Review the package release history and maintainers; avoid installing unsigned or unfamiliar packages globally if you don't trust the author.
- Note minor inconsistencies in README/SKILL.md (package name variations like @goettelman vs @swgoettelman) — likely typos but worth verifying the correct package to avoid typosquatting.
If you can verify the publisher and repo, the skill is coherent and consistent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk9736wztg9fggq4yeq0s6qz8qh81x9fn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤝 Clawdis
Binsnode
EnvDEAL_WORKS_API_KEY
Primary envDEAL_WORKS_API_KEY
Install
Node
Bins: deal-works-mcp
npm i -g @swgoettelman/deal-works-mcp