Skillv1.0.0

ClawScan security

Godot MCP Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 8:01 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with a Godot editor integration: it documents an MCP API, how to install a Godot plugin from GitHub, and how to configure AI clients — but it asks you to download and enable external plugin code that is not bundled with the skill, so inspect that repository before running it.
Guidance: This skill appears to be what it says: documentation for a Godot MCP plugin and how to configure AI clients to use a local MCP endpoint. Before installing: 1) Inspect the GitHub repository the instructions ask you to clone (https://github.com/DaxianLee/godot-mcp.git) — read the plugin code, README, and issues to ensure it’s trustworthy. 2) Back up your Godot project before copying/enabling the plugin. 3) Prefer cloning into an isolated project or sandbox first to observe behavior and logs. 4) When configuring AI clients, confirm they connect to the local address (127.0.0.1:3000) and avoid exposing the MCP endpoint to the public internet. 5) Note the metadata omission: git is required to follow the instructions even though 'required binaries' lists none — ensure git is available and verify the repository before running commands.

Review Dimensions

Purpose & Capability: noteThe name/description (Godot MCP integration) matches the instructions and API reference: scene/node/script/filesystem/editor/debug operations are all relevant. Minor inconsistency: SKILL metadata lists no required binaries, but the SKILL.md tells users to run `git clone` (so git is effectively required) — this is a small documentation/metadata mismatch but not a functional red flag.
Instruction Scope: okThe SKILL.md stays on-topic: it instructs cloning a Godot MCP plugin, copying it into a project, enabling it in Godot, and configuring AI clients to call the local MCP endpoint. It does instruct writing to various per-user AI client config files (e.g., ~/.cursor/mcp.json) and to copy files into project paths — both expected for this integration. There are no instructions to read unrelated system secrets or to contact remote endpoints other than GitHub (for the plugin) and localhost (the MCP server).
Install Mechanism: noteThis is instruction-only (no bundled code) and asks to git clone a repository on GitHub (https://github.com/DaxianLee/godot-mcp.git). GitHub is a common source, but because the skill does not bundle or include the plugin code, you will be fetching and enabling external code that was not reviewed as part of this skill package — review/verify that repository before running its code. The SKILL.md does not provide a release fingerprint or checksum.
Credentials: okThe skill declares no required environment variables or credentials and indeed its instructions do not request API keys or secrets. It does ask users to modify per-user AI client config files and Godot project files (expected). There are no demands for unrelated credentials or system-wide config paths.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not request to modify other skills or global agent settings. Enabling the Godot plugin will grant it typical editor-level permissions (project file access) — appropriate for a Godot editor integration.