Is leo-paz/outlit-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/leo-paz/outlit-mcp

86
SAFE

This skill provides legitimate MCP integration for Outlit customer analytics with comprehensive documentation and no malicious code. The main considerations are dependency on external infrastructure and appropriate handling of business data through third-party services.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM External MCP Server Dependency -15

The skill configures connections to an external MCP server at mcp.outlit.ai and transmits user API keys to this third-party service. While legitimate for the skill's purpose, this creates dependency on external infrastructure.

LOW Shell Command Execution Instructions -25

The skill instructs the agent to execute shell commands for MCP setup, including environment detection and configuration commands. This is necessary for functionality but represents elevated permissions.

LOW Sensitive Data Access Scope -20

The skill enables querying customer analytics data including revenue metrics, user activity, and business intelligence through external service. Users should ensure appropriate data governance policies.