Is al-one/mcp-vods safe?

https://github.com/openclaw/skills/tree/main/skills/al-one/mcp-vods

79
CAUTION

mcp-vods is a legitimate Chinese-language skill for searching streaming video content and casting to Xiaomi/Android TV devices via MCP protocol. The skill repository itself is clean — no malicious code, no install hooks, no prompt injection, and install behavior was limited to a standard git sparse checkout with no unexpected network connections or filesystem modifications. The primary security concern is a supply chain risk: the skill instructs agents to auto-execute npx -y mcporter and uvx mcp-vods at runtime without version pinning, meaning any future compromise of either package would silently execute with full agent permissions on every invocation without triggering re-audit. This is a structural risk inherent to unpinned package execution patterns rather than evidence of current malicious intent.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

HIGH Unpinned npm package auto-executed via `npx -y` at every invocation -25

Every tool call in the skill runs npx -y mcporter, which downloads and executes the latest published version of the mcporter npm package without version locking, SRI hash checking, or user confirmation. The -y flag suppresses npm's interactive install prompt. A threat actor who gains write access to the mcporter npm package (e.g., via maintainer account compromise or typosquatting) can push a malicious version that executes with the agent's full user permissions on every skill invocation after the update, with no re-audit required.

HIGH Unpinned PyPI package auto-executed via `uvx mcp-vods` -15

uvx mcp-vods uses uv's package runner to install and execute the latest version of the mcp-vods PyPI package at runtime. No version is specified and no integrity verification occurs. The package runs as an MCP server over stdio, meaning it receives search parameters and returns responses that the agent processes — providing both an execution context and a covert channel back through the agent's response pipeline if compromised.

MEDIUM Runtime MCP subprocess executes with agent filesystem permissions -30

When mcp-vods runs as a subprocess, it inherits the agent's user permissions and can read any file accessible to that user. The MCP stdio protocol means output flows back through mcporter to the agent, which would relay it as tool results. A supply-chain-compromised version of either package could embed credential file contents in search results or error messages, routing them to the LLM context and subsequently to any logging infrastructure. The audit environment contained /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials within scope.

LOW Skill targets unofficial streaming aggregators -15

The skill description references '多个源站' (multiple source sites) for video content. In the Chinese streaming ecosystem, this phrasing is strongly associated with unofficial aggregators that index pirated content. Using this skill may expose the agent to legally questionable operations, DMCA/copyright liability in some jurisdictions, and interaction with third-party trackers embedded in those sites' video players.

LOW TV casting feature discloses local network device topology -13

The Xiaomi TV and Android TV casting tools require MITV_LOCAL_IP, MITV_LIST_CFG, TVBOX_LOCAL_IP, or TVBOX_LIST_CFG environment variables. These values reveal internal LAN device addresses to the mcp-vods subprocess, which operates with outbound network capability. A compromised package version could exfiltrate these values to map the user's home network.

INFO Background OS update connections during monitoring window -10

Connections to Ubuntu security servers (185.125.188.54:443, 185.125.188.59:443, 185.125.190.18:443) were observed during the monitoring period. These are attributable to background system update checks unrelated to skill installation. The skill install itself only contacted github.com.

INFO Canary file accesses attributable to audit system, not skill -5

Sensitive canary files were accessed at two distinct timestamps: 1771734919 (pre-install, during initial canary setup) and 1771734938 (post-install, full-set batch scan). Both patterns are consistent with the audit system's own periodic integrity verification rather than skill-driven reads. Filesystem diff confirms no modifications and honeypot check is clean.