v1.0.1

m5stack-assistant

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:08 AM.

Analysis

This is a coherent M5Stack documentation helper that uses a disclosed remote MCP lookup service and optional Node.js helper scripts, with no evidence of credential access, persistence, or destructive behavior.

GuidanceThis skill appears safe for M5Stack documentation and coding-help use. Before installing, be aware that relevant questions are looked up through a remote M5Stack MCP service, and the optional command-line helper requires Node.js even though no binary requirement is declared.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill. Code file presence: 3 code file(s)

The registry metadata does not provide an upstream source/homepage or declare Node as a requirement, even though helper scripts are included; the visible code is small and purpose-aligned, so this is a transparency note rather than a concern.

User impactUsers may need to review the included scripts directly and ensure Node.js is available if they want to use the command-line helper.

RecommendationReview the included helper scripts before running them, and prefer an official publisher/source reference if provenance is important for your environment.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

端点: `https://mcp.m5stack.com/sse` ... 发送JSON-RPC请求: POST 到返回的 `/messages?session_id=xxx` 端点

The skill intentionally uses a remote MCP/SSE service for documentation lookup, so M5Stack-related query text is transmitted to that service.

User impactYour M5Stack questions, and any context included in them, may be sent to the M5Stack MCP service for retrieval.

RecommendationUse it for M5Stack-specific documentation tasks and avoid putting unrelated secrets, private keys, or confidential project details into lookup queries.