ScopeBlind protect-mcp
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may run a newer or different package version than expected, which matters because the package is intended to sit in front of MCP tool calls.
The skill instructs users to install an unpinned npm package globally. This is disclosed and central to the tool’s purpose, but @latest means the installed code can change over time.
install: |
npm install -g protect-mcp@latestVerify the npm package publisher and version, prefer a pinned version, and review release notes before installing or updating.
If invoked incautiously, the agent could run local commands or read/write policy-related files while setting up the gateway.
The skill declares local shell and file access so the agent can run the gateway and work with policy files. This aligns with the MCP proxy purpose, but it is still broad local authority.
allowed-tools:
- Bash
- Read
- WriteUse the commands only when you intend to configure the gateway, review policies before enforce mode, and avoid granting broader file access than needed.
Audit logs or signed receipts could contain sensitive information from tool usage and may persist after the session.
The gateway’s audit behavior is explicit, but “logs everything” may include sensitive MCP tool-call details depending on the wrapped server and tool arguments.
Shadow mode logs everything without blocking. Enforce mode applies policy.
Check where logs and receipts are stored, limit what tool-call data is captured when possible, protect signing keys, and avoid wrapping sensitive servers without a retention plan.
The proxy can observe and influence communication between the agent and wrapped MCP tools.
The skill is explicitly an intermediary for MCP communications. That is the core purpose, but users should understand the trust boundary introduced by placing a proxy between an agent and MCP server.
Wraps any MCP server as a transparent stdio proxy with per-tool security policies and cryptographic audit trail.
Use it only with MCP servers and policies you trust, and confirm that the proxy configuration matches the intended server and tool scope.