Is livvux/mcporter-skill safe?
https://github.com/openclaw/skills/tree/main/skills/livvux/mcporter-skill
The mcporter-skill is a clean CLI documentation wrapper with no prompt injection, hidden instructions, malicious code, or credential exfiltration. Its primary risk is architectural: it grants the agent broad authority over MCP server lifecycle (configuration, authentication, tool invocation, and CLI generation), meaning a malicious or attacker-influenced MCP server configuration could turn this skill into a remote execution vector. All technical security indicators are negative — clean clone, intact canaries, no executable code, no unexpected network activity.
Category Scores
Findings (7)
MEDIUM Arbitrary MCP tool call grants lateral movement capability -25 ▶
The skill instructs the agent to run 'mcporter call
LOW MCP server config and auth management enables attacker-controlled server registration -15 ▶
'mcporter config' and 'mcporter auth' allow the agent to add, modify, or authenticate new MCP server connections. If an attacker can converse naturally with an agent that has this skill loaded, they could instruct it to register a malicious MCP server, then use 'mcporter call' in a subsequent turn to exfiltrate data or execute commands through that server.
LOW Unconditional exec tool authorization for all mcporter subcommands -13 ▶
The final note in SKILL.md — 'Use exec tool to run mcporter commands' — unconditionally authorizes execution of any mcporter command the agent decides to run. There is no scope restriction on which subcommands are permitted, meaning an agent could use this authorization for destructive or sensitive mcporter operations (auth revocation, config deletion, ad-hoc server creation) without additional user confirmation.
INFO Canary credential files read twice during audit window -17 ▶
Inotify and auditd records show OPEN+ACCESS of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json at two timestamps: audit(1771929558.218) — 5 seconds before the git clone began — and audit(1771929582.319) — after install completed. The pre-clone reads cannot be caused by the skill and are attributable to oathe canary setup. The post-install reads are temporally consistent with post-install canary integrity verification. No modification or network transmission of this data was detected.
INFO Canary read accesses logged but files unmodified and data not exfiltrated -10 ▶
Six canary files were accessed (read-only) during the audit window. The integrity check confirms no content modification. Cross-referencing with network captures shows no outbound transmission of canary data. The access pattern is consistent with the monitoring infrastructure rather than malicious exfiltration.
INFO Clone behavior clean — only expected GitHub connection -5 ▶
The git clone spawned the expected subprocess chain (git → git-remote-https → index-pack) and connected only to GitHub's IP (140.82.121.4:443). DNS resolution used the local resolver. No additional external hosts were contacted. After install, the connection to GitHub closed normally and the connection diff shows no new persistent listeners or established connections attributable to the skill.
INFO No executable code, hooks, or submodules in skill -10 ▶
The skill repository path contains exactly two files: SKILL.md and _meta.json. No shell scripts, JavaScript, Python, Dockerfiles, Makefiles, git hooks, .gitattributes filter drivers, git submodules, or symlinks were found. The only installation side effect is copying these two files into the skill directory.