ClawAudit verdict

skill-mcp-security-audit

mcp-security-audit

🟢 Trusted

Low risk — reviewed by ClawAudit, behavior matches stated purpose

Fetches from network AND uses eval/Function

Security audit skill teaching defensive MCP practices; commands shown are grep and npm audit patterns for auditing other software and the skill itself does not exfiltrate data.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

security

transparency

maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination critical

Fetches from network AND uses eval/Function — the remote-code-execution pattern (data-flow not verified)

LLM05 · LLM06 · ASI05

Capability combination critical

Receives external input AND uses eval — the remote code-injection pattern (data-flow not verified)

LLM01 · LLM05 · ASI01 · ASI05

Capability combination critical

Receives external input AND executes processes — the shape of a command & control channel

LLM05 · LLM06 · ASI10

Capability combination critical

Accesses system credential store AND makes external network calls

LLM02 · ASI03

Capability combination high

Executes processes AND makes external network calls — may exfiltrate command output

LLM02 · LLM06 · ASI03

Capability combination high

Accesses credentials AND makes external network calls — potential credential theft

LLM02 · ASI03

Permission integrity

Makes network requests but does not declare curl/wget in required binaries

network_out

Code accesses API keys/tokens but declares no environment variables

credential_access

Findings (8)

Pattern match critical

Uses eval() — can execute arbitrary code

README.md · code · eval(

Pattern match critical

Possible hardcoded credential

README.md · code · token=' + process.env.API_KEY) // Unrestricted file access — reads any file on

Pattern match high

Base64 decode (atob) — may hide malicious payloads

README.md · code · atob(

Pattern match high

Uses exec() — may execute shell commands

README.md · code · exec(

Pattern match high

Dynamic import() — loads module at runtime

README.md · code · import('

Pattern match medium

Popular HTTP library — network access

SKILL.md · code · axios

Pattern match medium

Accesses sensitive environment variables

README.md · code · process.env.API_KEY

Pattern match low

Makes HTTP request to external URL

README.md · code · fetch('https://

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

No declared permissions — minimal attack surface.

network_incredential_storenetwork_outprocess_execdynamic_evalcredential_access

I installed anyway

Check another skill Browse the registry Auditing your own skills or configs? Use the API