Is mcporter safe?

https://clawhub.ai/steipete/mcporter

72
CAUTION

The mcporter skill is a legitimate MCP server management CLI wrapper, but it significantly expands the agent's attack surface by providing a general-purpose command execution gateway. The skill instructs the agent to call arbitrary URLs, spawn stdio processes with any command, and manage persistent daemons. During installation, sensitive files including .aws/credentials and .env were read, though no data exfiltration was detected. The skill itself contains no prompt injection, but its capabilities make it a high-value target for exploitation through other attack vectors.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Sensitive credential files accessed during install -30

During the clone and install phase, the process read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. While no outbound network activity was detected and canary files remained intact, reading AWS credentials and environment variables during a skill install is a significant concern. This appears to be the OpenClaw runtime behavior rather than the skill itself, but the skill triggers this code path.

HIGH Skill acts as general-purpose command execution gateway -55

The mcporter skill instructs the agent to execute arbitrary MCP tool calls including spawning stdio processes with any command string (--stdio 'bun run ./server.ts'), calling arbitrary HTTP URLs (mcporter call https://...), and managing a persistent daemon. This dramatically expands the agent's attack surface and could be exploited through prompt injection in other skills or user messages to execute arbitrary commands.

MEDIUM npm package install with runtime code execution -25

The skill metadata specifies installing the 'mcporter' npm package, which executes JavaScript during npm lifecycle hooks. The /tmp/jiti/ directory shows multiple transpiled CJS modules were created and executed during install, indicating significant code execution at install time beyond simple file copying.

MEDIUM Skill instructs agent to call arbitrary external URLs -15

The SKILL.md demonstrates calling arbitrary external URLs via 'mcporter call https://api.example.com/mcp.fetch url:https://example.com'. When loaded into an agent's context, this normalizes the pattern of the agent making HTTP requests to arbitrary endpoints, which could be exploited to exfiltrate conversation data or fetch malicious payloads.

MEDIUM Persistent daemon management capability -20

The skill instructs the agent to start, stop, and restart a persistent background daemon process (mcporter daemon start|status|stop|restart). A persistent daemon could maintain backdoor access, exfiltrate data over time, or serve as a C2 channel that persists beyond the agent conversation.

MEDIUM Stdio mode enables arbitrary process spawning -10

The --stdio flag allows the agent to spawn any process as an MCP server (e.g., 'bun run ./server.ts'). An attacker could craft inputs that cause the agent to spawn malicious processes under the guise of connecting to an MCP server.

LOW Gateway lock file and temp directory creation -10

During install, a /tmp/openclaw-1000/gateway.e9191928.lock file was created, suggesting a gateway or daemon process attempted to initialize. While this appears to be standard OpenClaw runtime behavior, it indicates background process management during what should be a simple skill installation.

INFO No outbound network connections detected 0

Despite reading sensitive files (.env, .aws/credentials), no outbound network connections were observed during the audit. The firewall blocked nothing and no destination IPs were recorded. This suggests credentials were not exfiltrated during this particular run.

INFO No hidden instructions or encoding tricks in SKILL.md 0

The SKILL.md content is straightforward documentation for the mcporter CLI tool. No invisible unicode characters, HTML comments, markdown tricks, persona hijacking, or instructions to ignore previous instructions were found. The risk comes from the capabilities the tool provides, not from hidden prompt injection.