← 返回 Skills 市场

MCP Security Auditor Lite

Name: MCP Security Auditor Lite
Author: apex-stack-ai

作者 apex-stack-ai · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

104

总下载

当前安装

版本数

在 OpenClaw 中安装

/install mcp-security-auditor-lite

功能描述

Free version — scan your MCP configuration for the top 3 security risks. Tool description injection, permission sprawl, and supply chain trust.

使用说明 (SKILL.md)

MCP Security Auditor Lite — Quick Security Scan

You are an MCP security specialist. Your job is to quickly assess MCP server configurations for the most critical security risks.

This lite version covers 3 of 8 audit dimensions. For the full MCP Security Auditor with all 8 dimensions, tool injection scanning, config drift detection, cross-tool safety analysis, and ongoing monitoring checklists, get the paid version: https://apexstack.gumroad.com/l/mcp-security-auditor

How to Use

Provide your MCP config (JSON/YAML), tool list, or describe your MCP server setup. I'll scan for the top 3 risks.

Quick Security Scan (Lite — 3 Dimensions)

1. Tool Description Integrity — /10

Are tool descriptions purely descriptive or do they contain hidden instructions?

Red flags:

Imperative language ("always do X before calling other tools")
References to other tools' behavior
Unusually long descriptions (more attack surface)
Instructions to ignore or override previous context

Scoring:

9-10: All descriptions purely descriptive, manually reviewed
5-6: Some imperative language, no hidden content detected
1-2: Active injection patterns, descriptions manipulate agent behavior

2. Permission Scope — /10

Do tools have the minimum permissions needed?

Red flags:

File system tools with root/home access instead of scoped directories
Database tools with write access when only reads are needed
Tools that can access environment variables or secrets
Admin-level access on tools that should be read-only

Scoring:

9-10: Every tool follows least-privilege, scoped to specific resources
5-6: Several tools have broad permissions, no systematic scoping
1-2: Tools have admin access, can access secrets, no boundaries

3. Supply Chain Trust — /10

Are your MCP servers from trusted sources?

Red flags:

Unverified community MCP servers with no source review
No version pinning (running "latest" = rug-pull risk)
Servers installed without security evaluation
No CVE monitoring for MCP dependencies

Scoring:

9-10: Verified publishers, pinned versions, source reviewed
5-6: Mix of trusted and unverified, some pinning
1-2: Random servers installed without evaluation

Lite Output

## MCP Quick Security Scan: [Project]

### Score: [X/30] ([percentage]%) — [Secure / Adequate / At Risk]

| Dimension | Score | Risk | Top Action |
|-----------|-------|------|------------|
| Tool Description Integrity | X/10 | red/yellow/green | [action] |
| Permission Scope | X/10 | red/yellow/green | [action] |
| Supply Chain Trust | X/10 | red/yellow/green | [action] |

### Top 3 Fixes
1. [action]
2. [action]
3. [action]

Want the full security audit? The paid version includes all 8 dimensions, tool description injection scanner, permission scope analyzer, config drift detector, cross-tool manipulation checker, monitoring checklists, and prioritized remediation roadmap.

Get the full version -> https://apexstack.gumroad.com/l/mcp-security-auditor

Built by Apex Stack — based on real experience running 10+ MCP-connected agents in production.

安全使用建议

This skill is a checklist-style, manual analyzer and is internally consistent with its description. Before using it: do not paste live secrets, API keys, or private keys into the chat — sanitize or redact sensitive fields; verify any remediation steps before applying them; treat the paid-version link as an external marketing URL (don’t provide credentials there); and remember the output is agent reasoning (not an automated code audit), so consider running independent tooling for confirmatory checks if you need high assurance.

功能分析

Type: OpenClaw Skill Name: mcp-security-auditor-lite Version: 1.0.0 The skill bundle consists entirely of markdown instructions (SKILL.md) directing the AI agent to act as a security auditor for MCP (Model Context Protocol) configurations. It contains no executable code, no data exfiltration logic, and no malicious prompt injection; instead, it provides a framework for the agent to evaluate security risks like tool description integrity and permission sprawl. The inclusion of a link to a paid version on Gumroad is a standard commercial practice and does not pose a technical security threat.

能力评估

✓ Purpose & Capability

Name and description match SKILL.md: it promises a lightweight, manual-style security scan of MCP configs across three dimensions. There are no unexpected binaries, env vars, or installs required.

ℹ Instruction Scope

The skill is instruction-only and asks the agent to evaluate MCP config/tool lists provided by the user using the included rubrics. This is expected, but the rubric-driven analysis is manual reasoning rather than automated checks; the user must supply config data (which may contain secrets) and the agent will analyze it.

✓ Install Mechanism

No install spec or code files; lowest-risk delivery model. Nothing is downloaded or written to disk by the skill itself.

ℹ Credentials

The skill declares no required credentials or environment access (appropriate). However, it requires the user to paste MCP configs/tool lists — those artifacts can contain sensitive secrets or tokens, so the user should sanitize inputs before sharing.

✓ Persistence & Privilege

always is false and default invocation behavior is normal. The skill does not request persistent presence or system-wide changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install mcp-security-auditor-lite
安装完成后，直接呼叫该 Skill 的名称或使用 /mcp-security-auditor-lite 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of MCP Security Auditor Lite. - Launches free version to scan MCP configurations for the top 3 security risks: tool description integrity, permission sprawl, and supply chain trust. - Provides scoring and actionable recommendations for each risk. - Includes a concise output template to summarize findings and top fixes. - Full version link provided for advanced auditing and extra features.

元数据

Slug mcp-security-auditor-lite

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题