← Back to Skills Marketplace
Mcpsec
by
Paul Frederiksen
· GitHub ↗
· v1.0.4
· MIT-0
142
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mcpsec
Description
Scan MCP server configuration files for security vulnerabilities using mcpsec (OWASP MCP Top 10). Use when: auditing MCP tool configs for prompt injection, h...
Usage Guidance
This wrapper appears to do only what it says: run the mcpsec scanner against local MCP config files. Before installing or running: (1) verify the mcpsec binary provenance (check the published SHA256 checksum or build from source); (2) run the scanner in an isolated environment (container/VM) if you are concerned about supply-chain risk; (3) treat scanner output as sensitive because config files may contain API keys/tokens; and (4) if you need a guarantee that the binary makes no network calls, review and build its source yourself rather than relying on the pre-built release. If any of these steps are impractical, consider not installing the pre-built binary.
Capability Analysis
Type: OpenClaw Skill
Name: mcpsec
Version: 1.0.4
The mcpsec skill is a security auditing tool designed to scan Model Context Protocol (MCP) configurations for vulnerabilities. The wrapper script (scripts/scan.py) follows security best practices by using subprocess.run with shell=False and implementing path sanitization via regex. While the skill requires access to sensitive configuration files and executes an external binary (mcpsec), the documentation (SKILL.md and README.md) is transparent about these risks, provides SHA256 checksums for verification, and the script itself performs no network operations.
Capability Assessment
Purpose & Capability
Name/description, required binaries, included script, and declared scan targets align: the wrapper discovers local MCP config files and runs the mcpsec binary to report findings. Nothing requested (no env vars or unrelated binaries) appears out of scope for a configuration scanner.
Instruction Scope
The SKILL.md and wrapper limit activity to reading local config paths and running mcpsec; the wrapper uses subprocess.run with shell=False and path sanitization. Important caveat: the skill cannot enforce the binary's runtime behavior — SKILL.md claims the binary makes no network calls per its source, but that must be independently verified. Also scan output can include sensitive secrets from configs (the wrapper prints results to stdout), so treat outputs as sensitive.
Install Mechanism
Instruction-only skill (no packaged installer). SKILL.md shows downloading pre-built releases from GitHub (a known host) and suggests verifying SHA256 checksums and/or building from source — this is an appropriate mitigation. The install commands provided are explicit about checksum verification; treat pre-built binaries from third parties as moderate supply-chain risk unless you verify.
Credentials
No environment variables, credentials, or configuration paths outside the stated scan targets are requested. The skill reads only local config files (which legitimately may contain API keys) and does not require unrelated secrets.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and is user-invocable only. It does not attempt to persist credentials or alter system configuration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mcpsec - After installation, invoke the skill by name or use
/mcpsec - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
- Added detailed skill overview and security documentation in SKILL.md.
- Explained supply chain risks and included SHA256 checksums for binary verification.
- Listed supported install methods for macOS, Linux, and source builds.
- Clarified MCP config auto-discovery and scanning capabilities.
- Outlined OWASP MCP Top 10 risks covered and mapped their severities.
- Documented usage instructions, security design of the wrapper script, and system access requirements.
Metadata
Frequently Asked Questions
What is Mcpsec?
Scan MCP server configuration files for security vulnerabilities using mcpsec (OWASP MCP Top 10). Use when: auditing MCP tool configs for prompt injection, h... It is an AI Agent Skill for Claude Code / OpenClaw, with 142 downloads so far.
How do I install Mcpsec?
Run "/install mcpsec" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mcpsec free?
Yes, Mcpsec is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Mcpsec support?
Mcpsec is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mcpsec?
It is built and maintained by Paul Frederiksen (@pfrederiksen); the current version is v1.0.4.
More Skills