← Back to Skills Marketplace
101
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install scopeblind-red-team
Description
Policy benchmarking runner for MCP security policies. Runs attack suites against protect-mcp policy packs, produces signed receipts and badges.
Usage Guidance
This skill appears to do what it says (run red-team checks against protect-mcp policies) but exercise caution: 1) The SKILL.md tells you to run a global 'npm install -g' — that will download and execute code from npm, so only proceed if you trust the @scopeblind and protect-mcp packages and their maintainers. 2) Verify you have Node/npm/npx installed (the registry metadata omitted this requirement). 3) Ask or inspect how 'signed receipts' are produced and where badges are sent — if signing requires keys or network uploads, confirm what credentials are needed and whether they will be transmitted externally. 4) Prefer testing in a disposable environment (container or VM) and, if possible, review the npm package source before installing. If you want, I can fetch the npm package pages and summarize their maintainers, versions, and homepage info to help decide whether to trust them.
Capability Analysis
Type: OpenClaw Skill
Name: scopeblind-red-team
Version: 0.1.1
The skill installs global npm packages (@scopeblind/red-team and protect-mcp) and executes 'attack suites' via npx as described in SKILL.md. While these actions are consistent with the stated purpose of security policy benchmarking, the execution of external code designed to simulate attacks is a high-risk capability. There is no direct evidence of malicious intent in the provided files, but the reliance on external, unverified payloads warrants caution.
Capability Assessment
Purpose & Capability
The skill claims to run attack suites against protect-mcp policies and the SKILL.md instructs use of @scopeblind/red-team and protect-mcp npm packages, which is coherent with the stated purpose. However the registry-level metadata provided to you earlier lists no required binaries while the SKILL.md declares 'npx' is required — this metadata mismatch is unexplained.
Instruction Scope
Runtime instructions are concise and stay on-task (examples show npx scopeblind-red-team --policy ...). They also include an 'install' line telling the user to run a global npm install. The SKILL.md mentions producing 'signed receipts and badges' but does not explain how signing keys are obtained or where badges/receipts are uploaded, which is vague and could lead to unexpected requests or network activity.
Install Mechanism
There is no platform install spec, but the skill's instructions tell users to run 'npm install -g @scopeblind/red-team@latest protect-mcp@latest'. Installing packages from the public npm registry is a common choice for this tooling but carries the normal risks of executing third‑party package code and modifying the system (global install). This is expected for the stated purpose but requires trusting the npm packages and their maintainers.
Credentials
The SKILL.md declares no required environment variables, yet it promises 'signed receipts' without explaining key management; that suggests missing credential requirements or unclear behavior. Also the earlier provided registry summary omitted the SKILL.md's declared dependency on 'npx' (and implicitly Node/npm), which is an unexplained discrepancy that could cause surprises at runtime.
Persistence & Privilege
The skill is not marked always:true, it is user-invocable, and there is no indication it attempts to persistently modify other skills or global agent configuration. The only persistence-related action in instructions is a recommended global npm install, which is local system modification but not an agent privilege escalation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install scopeblind-red-team - After installation, invoke the skill by name or use
/scopeblind-red-team - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Initial release of ScopeBlind Red Team skill.
- Runs attack suites against protect-mcp security policy packs.
- Produces signed receipts and badges for policy benchmarking.
- Installation via npm; requires npx and Bash.
- Includes quick start commands and documentation links.
Metadata
Frequently Asked Questions
What is ScopeBlind Red Team?
Policy benchmarking runner for MCP security policies. Runs attack suites against protect-mcp policy packs, produces signed receipts and badges. It is an AI Agent Skill for Claude Code / OpenClaw, with 101 downloads so far.
How do I install ScopeBlind Red Team?
Run "/install scopeblind-red-team" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ScopeBlind Red Team free?
Yes, ScopeBlind Red Team is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ScopeBlind Red Team support?
ScopeBlind Red Team is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ScopeBlind Red Team?
It is built and maintained by TJF (@tomjwxf); the current version is v0.1.1.
More Skills