ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ainative Mcp Builder

v1.0.0

Build and publish custom MCP servers on AINative. Use when (1) Creating a new MCP server from scratch, (2) Adding tools to an existing MCP server, (3) Publis...

0· 87·1 current·1 all-time
byToby Morning@urbantech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md content: examples for FastMCP (Python) and the MCP SDK (Node), configuration for Claude Code, and publishing guidance to npm/ClawHub. The requested capabilities (exposing tools, calling AINative endpoints) are coherent with the stated purpose.
!
Instruction Scope
The runtime instructions include concrete code that performs network calls to AINative endpoints and shows using an API key (API_KEY / AINATIVE_API_KEY). The SKILL.md does not instruct reading unrelated local files or broad system state, but it does reference credentials in-line and environment usage in examples — this access is outside what's declared in the skill metadata (no required env vars).
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written to disk by the skill itself. The guidance to pip/npm-install third-party packages (fastmcp, @modelcontextprotocol/sdk) is expected for the described tasks and is documented in the instructions.
!
Credentials
The SKILL.md examples require an AINATIVE API key (API_KEY / AINATIVE_API_KEY) to call AINative APIs, but the skill's declared requirements list zero environment variables or primary credentials. That mismatch is disproportionate: the skill will only be useful with a credential, yet it doesn't declare or explain that requirement in metadata.
Persistence & Privilege
always:false and no requested config-path or persistent system modifications. The skill does not request permanent inclusion or modify other skills' configuration in the provided instructions.
What to consider before installing
This skill appears to legitimately show how to build and publish MCP servers, but take these precautions before installing or using it: - The SKILL.md examples use an AINATIVE API key (API_KEY / AINATIVE_API_KEY). The skill metadata does not declare this — ask the publisher to update the metadata to list required credentials before providing any secrets. - Only give an API key with the minimum scope needed (do not reuse a full-admin key). Prefer creating a scoped/test key and rotate it if you later revoke access. - The skill instructs installing third-party packages (pip/npm). Verify those packages' authors and source (PyPI/npm) and audit package versions before running installs. - The Python sample hardcodes API_KEY in code; avoid hardcoding secrets in repos. Use environment variables or a secure secrets mechanism instead. - If you must run example servers locally, sandbox them (container, VM) and monitor network traffic to ensure calls go only to expected AINative endpoints (api.ainative.studio) and not to unknown hosts. - Ask the skill author to correct the metadata (declare required env vars) and provide a source/homepage or repository so you can review the actual implementation before trusting published MCP packages. If the author cannot provide clearer metadata or a verifiable source, treat the skill as risky for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fytqw4htnk5gwvvt7cbe1n83hbtz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments