Oathe Security Badge

Is 0x1abin/matter-controller-mcp safe?

https://github.com/0x1abin/matter-controller-mcp

92
SAFE

This is a legitimate Matter Controller MCP server for smart home device control with clean code and standard practices. The empty SKILL.md file is unusual but not malicious, and canary file access occurred during monitoring setup rather than skill execution.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Empty SKILL.md file -5

The SKILL.md file is completely empty, which is unusual for MCP skills that typically contain agent instructions or descriptions.

MEDIUM Sensitive file access during monitoring -15

Multiple sensitive canary files (.env, SSH keys, AWS credentials) were accessed, but this occurred during monitoring setup before skill installation, not by the skill itself.

INFO Standard build process with executable permissions -10

Build script includes chmod +x for distribution files, which is standard practice for CLI tools but worth noting.

INFO Smart home device control capabilities -15

This skill provides legitimate Matter smart home device control functionality, including commissioning, decommissioning, and device manipulation capabilities that users should be aware of.