mx-auto
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s trigger-running purpose is coherent, but it handles high-privilege Runtime tokens and optional stored tokens in ways users should review carefully.
Install only if you trust this skill to run local App triggers for you. Keep Runtime base URLs restricted to trusted localhost endpoints, avoid storing cloud tokens unless needed, refresh and inspect trigger lists before important runs, and confirm the side effects of any trigger before executing it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Runtime admin token can authorize local trigger execution under the user’s privileges, and a misconfigured or untrusted base URL could receive that token.
The script discovers a Runtime admin token from environment variables or a local Runtime token file, then uses it as a Bearer token for command dispatch. The base URL is configurable, so this is high-privilege credential use that is not reflected in the registry’s credential declarations.
local env_token="${MX_APP_RUNTIME_ADMIN_TOKEN:-${RPA_RUNTIME_ADMIN_TOKEN:-}}" ... const file = path.join(process.argv[1], "runtime", "admin-token.json"); ... -H "Authorization: Bearer $TOKEN" ... "$SEND_URL"Use only trusted local Runtime URLs, preferably localhost/127.0.0.1, and verify token handling before running triggers. The skill should declare this credential requirement and enforce local-only token destinations.
If a user or agent stores a cloud token with this helper, the secret may be displayed in plain text.
When setting any preference key, including defaultCloudToken, the helper writes the value and then prints the raw key/value pair to stdout. That can expose a token in agent logs or chat output.
write_value "$key" "$value" "$pref_path" printf '%s=%s\n' "$key" "$value"
Avoid storing tokens with this helper unless necessary. The skill should suppress or mask secret values when setting defaultCloudToken.
A named trigger could run a real workflow without additional confirmation from the user.
Running existing triggers is the skill’s stated purpose, but the instruction favors immediate execution once a trigger is named. Existing triggers may have side effects depending on the user’s App setup.
Default to auto-discovery before asking for anything ... when a user names a trigger, try running it with no `input` first
Confirm the trigger name and expected side effects before execution, especially for triggers that can post, modify, purchase, delete, or send data.
A stale or tampered cached snapshot could cause confusion about which trigger name maps to which trigger id.
The skill persistently stores defaults and cached trigger metadata that can later influence trigger-name resolution. This is disclosed and purpose-aligned, but users should know it affects future runs.
Preferences file: `$OPENCLAW_STATE_DIR/skill-state/mx-auto/preferences.json` ... Cached trigger snapshot: `triggerSnapshot.loadedAt` ... `triggerSnapshot.services[]`
Refresh triggers before important runs and clear or inspect the mx-auto preferences file if trigger resolution seems wrong.
The preflight script runs a small local shell command to locate dependencies.
The static scanner flagged shell execution. In context, the script uses it to check fixed dependency names, which is expected for preflight validation, but it is still local command execution.
require("node:child_process").execFileSync("bash", ["-lc", `command -v ${name}`], {Keep the skill files trusted and review changes to preflight_check.sh if the command list becomes user-controlled.