ClawAudit verdict
basecamp-cli
basecamp-cli-mcp
Full-featured Basecamp 4 CLI and MCP server that reads OAuth credentials from documented environment variables and makes API calls to Basecamp; all 76 tools are clearly scoped to Basecamp project management operations with no unexpected data sinks.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (9)
Possible hardcoded credential
SKILL.md · code · SECRET="<your-client-secret>
References child_process — can spawn system processes
scripts/validate.ts · prose · downgraded · child_process
Dynamic import() — loads module at runtime
src/__tests__/config.test.ts · prose · downgraded · import('
Accesses shell history/config
src/commands/auth.ts · prose · downgraded · ~/.zshrc
Accesses system credential store
src/lib/config.ts · prose · downgraded · keychain
Popular HTTP library — network access
package.json · prose · downgraded · got
Accesses sensitive environment variables
src/__tests__/config.test.ts · prose · downgraded · process.env.BASECAMP_CLIENT_SECRET
POSTs data to external URL
src/__tests__/projects.test.ts · prose · downgraded · .post(
`https://
References webhook/callback URL
src/__tests__/webhooks.test.ts · prose · downgraded · Webhook.url
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
Requires 2 environment variables. (1 sensitive: BASECAMP_CLIENT_SECRET). Requires 1 system binary.
package_installnetwork_in Is this flag fair?
Thanks — recorded.