Is alopez3006/snipara-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/alopez3006/snipara-mcp

87
SAFE

Snipara MCP is a legitimate documentation querying and management tool that connects to the Snipara SaaS platform via MCP protocol. The code is clean with no prompt injection, no malicious install behavior, and no canary file access. The primary risk is that document upload, sync, and memory tools transmit arbitrary content to an external server, creating an indirect data exfiltration surface if the agent is manipulated into uploading sensitive files.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM Document upload tools send arbitrary content to external server -15

The rlm_upload_document and rlm_sync_documents tools accept path and content parameters and transmit them to api.snipara.com. While this is the intended functionality for a documentation management tool, it creates an exfiltration surface. If an agent is socially engineered (e.g., 'upload my .env file as documentation'), sensitive data could be sent to the external server.

MEDIUM Memory tools persist data on external Snipara server -13

The rlm_remember, rlm_store_summary, and rlm_recall tools store and retrieve arbitrary content on the Snipara server. Facts, decisions, preferences, and context stored via these tools leave the local environment. Combined with skills that read local files, this could be an indirect exfiltration path.

LOW Browser opened during OAuth login flow -10

The auth.py module calls webbrowser.open() to open the OAuth verification URL in the user's browser. This is a standard OAuth device flow pattern and only triggers during explicit snipara-mcp-login invocation, not during normal MCP server operation.

LOW Combination risk with file-reading skills -12

This skill is benign on its own, but when combined with other skills that have filesystem access, the upload/sync/memory tools could be leveraged to exfiltrate locally-read content to the Snipara server. An attacker could craft a prompt that causes the agent to read sensitive files and then upload them as 'documentation'.

INFO Empty SKILL.md file -5

The SKILL.md file is empty, meaning no instructions are injected into the agent's system prompt. This is positive from a prompt injection standpoint but unusual — most skills include usage instructions. The MCP tool descriptions serve as the effective interface instead.

INFO Configurable API endpoint via environment variable 0

The SNIPARA_API_URL environment variable allows redirecting all API calls to an arbitrary server. If an attacker controls this variable, all documentation queries and uploads would go to a malicious endpoint. However, this requires environment-level access which is outside the skill's threat model.