Is aviclaw/debridge-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/aviclaw/debridge-mcp

82
SAFE

This deBridge MCP skill appears legitimate and provides cryptocurrency cross-chain swap functionality. The main security concerns involve external code execution during setup and the inherent risks of cryptocurrency operations. No evidence of malicious behavior, prompt injection, or data exfiltration was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM External Repository Code Execution -25

The setup script clones and executes code from an external GitHub repository (debridge-finance/debridge-mcp). This introduces supply chain risk as the external repository could potentially be compromised or contain malicious code.

MEDIUM npm install Execution Risk -15

The setup script runs 'npm install' on externally sourced code, which can execute arbitrary scripts defined in package.json (preinstall, postinstall, etc.). This could allow malicious code execution during installation.

LOW Cryptocurrency Operations Context -20

The skill enables cryptocurrency cross-chain swaps and transfers, which are high-value operations that could be attractive targets for attackers. Users should exercise caution when handling financial transactions.