Skills Indec MCP
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned and transparent, but users should notice that it runs an unpinned npm MCP package and includes disclosed POST actions for submissions and email subscription.
Before installing, verify that the npm package and linked GitHub repository are the ones you intend to trust. Treat search and lookup tools as low risk, but review any submit_tool or subscribe action before allowing the agent to send a URL, description, or email address.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package changes or is compromised, the code run by the MCP server could differ from what the user expected.
The runnable MCP server is fetched and run from npm via npx, with no package version pinned in the artifact. This is coherent for an npm-based MCP skill, but it makes npm package provenance and version drift relevant.
"install": { "type": "npx", "package": "skillsindex-mcp", "command": "npx", "args": ["skillsindex-mcp"] }Verify the npm package and referenced repository before installing, and consider pinning a specific trusted package version where the client supports it.
The agent could submit a tool listing or send an email address to SkillsIndex if those tools are invoked.
The skill includes tools that send user-provided data to external endpoints. These actions are disclosed and aligned with the directory/subscription purpose, but they are not read-only.
“Write operations — `submit_tool` POSTs a tool name + URL to `skillsindex.dev/api/mcp/submit` ...; `subscribe` POSTs an email to `skillsindex.dev/api/subscribe`”
Use the write tools only after confirming the exact name, URL, description, and email address the agent will send.