Is discry/prospairrow-websites-mcp safe?
https://github.com/openclaw/skills/tree/main/skills/discry/prospairrow-websites-mcp
The prospairrow-websites-mcp skill is a legitimate sales CRM integration that proxies Prospairrow API operations through a local JSON-RPC server. No prompt injection, canary file exfiltration, or malicious code was detected; SKILL.md is clean and source code matches its documented behavior. The primary concerns are architectural: npm install fetches Playwright and browser binaries from external sources (contradicting 'fully bundled' marketing claims), the local MCP server at 127.0.0.1:8799 is accessible to all local processes once started, and browser session tokens are stored as plaintext JSON on disk.
Category Scores
Findings (9)
MEDIUM Playwright fetches browser binaries from external CDN on first use -25 ▶
The SKILL.md markets this skill as 'no external git clone required' with runtime source bundled. However, npm install fetches playwright and other dependencies from the npm registry, and Playwright downloads Chromium browser binaries (~200MB) from an external CDN on first browser-mode use. This is an undisclosed external supply chain dependency that contradicts the 'no external download' framing and introduces risk from npm packages and Playwright's CDN.
MEDIUM Local MCP server exposes authenticated Prospairrow API to all local processes -22 ▶
The MCP server binds to 127.0.0.1:8799 and accepts JSON-RPC requests. Any process running as the same user (or root) on the host can send requests to this server including WRITE operations (add_prospects, enrich_prospects, discover_competitors, generate_content_marketing) without any additional authentication beyond what the server resolves from config/env. If any other local process is compromised, the Prospairrow account becomes exposed.
LOW diagnostics mode captures full-page screenshots to local disk -12 ▶
When any task is invoked with diagnostics=true, the skill captures a full-page screenshot of the Prospairrow UI and saves it to ./artifacts/
LOW Dynamic task module imports from disk path -20 ▶
registry.ts loads task definitions via dynamic import() using pathToFileURL(modulePath). While in normal use these resolve only to the bundled task files, the moduleDir is constructed from site-registry.json entries. A modified site-registry.json could cause arbitrary TypeScript files to be loaded and executed via tsx.
LOW Browser session auth tokens stored as plaintext JSON -8 ▶
bootstrapLogin() captures Playwright storageState (cookies, localStorage, sessionStorage) and writes it to ~/.openclaw/runtime/websites-mcp/secrets/
LOW extract_prospects browser mode reads full page body text -8 ▶
In browser fallback mode, extract_prospects reads the entire page body (scope.locator('body').innerText()) to parse prospect details. This captures all visible text on the Prospairrow page, not just prospect fields, potentially including UI elements, navigation, or other data the user may not intend to share with the agent context.
INFO Canary file accesses are audit infrastructure, not skill-originated 0 ▶
Filesystem events show canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud credentials) were accessed. However, the first batch occurs at audit timestamp 1771928038 — before the git clone at 1771928043 — placing them firmly in the audit system's pre-install baseline phase. The second batch at 1771928057 is the post-audit canary integrity check. The 'All canary files intact' report confirms no exfiltration.
INFO DESTRUCTIVE capability intentionally never auto-enabled 0 ▶
The policy.ts code explicitly prevents DESTRUCTIVE capability from being automatically enabled regardless of environment flags or configuration. This is a deliberate and well-implemented security boundary.
INFO SKILL.md is clean with no injection patterns 0 ▶
The SKILL.md contains only legitimate skill description, task documentation, configuration instructions, and install guidance. No hidden instructions, persona changes, permission escalations, or injection attempts were detected.