← 返回 Skills 市场
pfrederiksen

Mcpsec

作者 Paul Frederiksen · GitHub ↗ · v1.0.4 · MIT-0
cross-platform ✓ 安全检测通过
142
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mcpsec
功能描述
Scan MCP server configuration files for security vulnerabilities using mcpsec (OWASP MCP Top 10). Use when: auditing MCP tool configs for prompt injection, h...
安全使用建议
This wrapper appears to do only what it says: run the mcpsec scanner against local MCP config files. Before installing or running: (1) verify the mcpsec binary provenance (check the published SHA256 checksum or build from source); (2) run the scanner in an isolated environment (container/VM) if you are concerned about supply-chain risk; (3) treat scanner output as sensitive because config files may contain API keys/tokens; and (4) if you need a guarantee that the binary makes no network calls, review and build its source yourself rather than relying on the pre-built release. If any of these steps are impractical, consider not installing the pre-built binary.
功能分析
Type: OpenClaw Skill Name: mcpsec Version: 1.0.4 The mcpsec skill is a security auditing tool designed to scan Model Context Protocol (MCP) configurations for vulnerabilities. The wrapper script (scripts/scan.py) follows security best practices by using subprocess.run with shell=False and implementing path sanitization via regex. While the skill requires access to sensitive configuration files and executes an external binary (mcpsec), the documentation (SKILL.md and README.md) is transparent about these risks, provides SHA256 checksums for verification, and the script itself performs no network operations.
能力评估
Purpose & Capability
Name/description, required binaries, included script, and declared scan targets align: the wrapper discovers local MCP config files and runs the mcpsec binary to report findings. Nothing requested (no env vars or unrelated binaries) appears out of scope for a configuration scanner.
Instruction Scope
The SKILL.md and wrapper limit activity to reading local config paths and running mcpsec; the wrapper uses subprocess.run with shell=False and path sanitization. Important caveat: the skill cannot enforce the binary's runtime behavior — SKILL.md claims the binary makes no network calls per its source, but that must be independently verified. Also scan output can include sensitive secrets from configs (the wrapper prints results to stdout), so treat outputs as sensitive.
Install Mechanism
Instruction-only skill (no packaged installer). SKILL.md shows downloading pre-built releases from GitHub (a known host) and suggests verifying SHA256 checksums and/or building from source — this is an appropriate mitigation. The install commands provided are explicit about checksum verification; treat pre-built binaries from third parties as moderate supply-chain risk unless you verify.
Credentials
No environment variables, credentials, or configuration paths outside the stated scan targets are requested. The skill reads only local config files (which legitimately may contain API keys) and does not require unrelated secrets.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and is user-invocable only. It does not attempt to persist credentials or alter system configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install mcpsec
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /mcpsec 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- Added detailed skill overview and security documentation in SKILL.md. - Explained supply chain risks and included SHA256 checksums for binary verification. - Listed supported install methods for macOS, Linux, and source builds. - Clarified MCP config auto-discovery and scanning capabilities. - Outlined OWASP MCP Top 10 risks covered and mapped their severities. - Documented usage instructions, security design of the wrapper script, and system access requirements.
元数据
Slug mcpsec
版本 1.0.4
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Mcpsec 是什么?

Scan MCP server configuration files for security vulnerabilities using mcpsec (OWASP MCP Top 10). Use when: auditing MCP tool configs for prompt injection, h... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 142 次。

如何安装 Mcpsec?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install mcpsec」即可一键安装,无需额外配置。

Mcpsec 是免费的吗?

是的,Mcpsec 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Mcpsec 支持哪些平台?

Mcpsec 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Mcpsec?

由 Paul Frederiksen(@pfrederiksen)开发并维护,当前版本 v1.0.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论