Snipara Mcp

Semantic search tool to quickly find answers across multiple code repositories with AI memory of your preferences for faster documentation lookup.

Things to check before installing/using this skill: - Provenance: The bundle includes full Python source and suggests installation via pip/uvx, but the registry metadata omitted install/env declarations and shows a different version. Verify the publisher (check PyPI package name, the GitHub repo referenced in README, and that snipara.com is the legitimate service) before running pip/npm. - Credentials: The package uses SNIPARA_API_KEY and SNIPARA_PROJECT_ID (and supports OAuth device flow). These are sensitive. Do not reuse high-privilege or long-lived credentials; prefer limited-scope or short-lived keys and revoke after testing. - Local token storage: OAuth tokens are stored at ~/.snipara/tokens.json with owner-only permissions. If you run the login flow, expect a token file to be created — review its contents and clean up when no longer needed. - Client config changes: SKILL.md shows examples of adding the MCP server to client config files (Claude, Cursor, etc.). Those are manual instructions — the package does not need to modify other tools automatically, but if you follow them you are giving that client persistent access to the Snipara MCP server. Only add it to clients you control and trust. - Data persistence on remote service: The skill offers rlm_remember/rlm_recall for storing preferences and 'memory' on Snipara servers. Understand what you store remotely; avoid sending secrets or private tokens to the third-party memory store. - Audit the code (or run in an isolated environment): Because there are metadata inconsistencies and the package will make network calls, consider inspecting the code, running it in a disposable container, or using network egress controls before granting it credentials. If the publisher and package sources check out and you are comfortable with storing a project-scoped API key or using OAuth, the tool's behavior aligns with its stated purpose. If you cannot verify the package origin or you don't want tokens stored remotely or locally, do not install it.

Type: OpenClaw Skill Name: snipara-mcp Version: 0.1.0 The skill bundle provides tools for documentation search and AI agent coordination via the Snipara API. The `skill.md` instructions clearly define tool usage without attempting prompt injection or instructing the agent to perform malicious actions. The Python code handles authentication by reading `SNIPARA_API_KEY` and `SNIPARA_PROJECT_ID` from environment variables and securely storing OAuth tokens in `~/.snipara/tokens.json` with appropriate permissions. All network calls are directed to `snipara.com` for legitimate API interactions. The `rlm_read` tool, despite its name, is implemented as an API call to read indexed documentation on the Snipara platform, not arbitrary local files. No evidence of data exfiltration, malicious execution, persistence, or obfuscation was found.