ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Godot MCP Integration

v1.0.0

Godot MCP (Model Context Protocol) integration enabling AI assistants to directly interact with Godot Editor. Use when working with Godot projects through AI...

0· 322·1 current·1 all-time
byMr.Tang@thb32133451
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Godot MCP integration) matches the instructions and API reference: scene/node/script/filesystem/editor/debug operations are all relevant. Minor inconsistency: SKILL metadata lists no required binaries, but the SKILL.md tells users to run `git clone` (so git is effectively required) — this is a small documentation/metadata mismatch but not a functional red flag.
Instruction Scope
The SKILL.md stays on-topic: it instructs cloning a Godot MCP plugin, copying it into a project, enabling it in Godot, and configuring AI clients to call the local MCP endpoint. It does instruct writing to various per-user AI client config files (e.g., ~/.cursor/mcp.json) and to copy files into project paths — both expected for this integration. There are no instructions to read unrelated system secrets or to contact remote endpoints other than GitHub (for the plugin) and localhost (the MCP server).
Install Mechanism
This is instruction-only (no bundled code) and asks to git clone a repository on GitHub (https://github.com/DaxianLee/godot-mcp.git). GitHub is a common source, but because the skill does not bundle or include the plugin code, you will be fetching and enabling external code that was not reviewed as part of this skill package — review/verify that repository before running its code. The SKILL.md does not provide a release fingerprint or checksum.
Credentials
The skill declares no required environment variables or credentials and indeed its instructions do not request API keys or secrets. It does ask users to modify per-user AI client config files and Godot project files (expected). There are no demands for unrelated credentials or system-wide config paths.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not request to modify other skills or global agent settings. Enabling the Godot plugin will grant it typical editor-level permissions (project file access) — appropriate for a Godot editor integration.
Assessment
This skill appears to be what it says: documentation for a Godot MCP plugin and how to configure AI clients to use a local MCP endpoint. Before installing: 1) Inspect the GitHub repository the instructions ask you to clone (https://github.com/DaxianLee/godot-mcp.git) — read the plugin code, README, and issues to ensure it’s trustworthy. 2) Back up your Godot project before copying/enabling the plugin. 3) Prefer cloning into an isolated project or sandbox first to observe behavior and logs. 4) When configuring AI clients, confirm they connect to the local address (127.0.0.1:3000) and avoid exposing the MCP endpoint to the public internet. 5) Note the metadata omission: git is required to follow the instructions even though 'required binaries' lists none — ensure git is available and verify the repository before running commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790j72g0zzfwd7hmy6zx2f4x8281pf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments