Use the mcporter CLI to list, configure, auth, and call MCP servers/tools directly (HTTP or stdio), including ad-hoc servers, config edits, and CLI/type generation.
Security Analysis
medium confidenceThe SKILL.md aligns with a CLI-focused skill (mcporter) but it contains metadata/install instructions that conflict with the registry record and the runtime instructions allow executing arbitrary stdio commands and storing auth in a local config — review before installing or granting it access.
The skill's name/description are consistent with the SKILL.md: it is a thin wrapper for the mcporter CLI (listing, calling, auth, config, codegen). However the registry metadata provided earlier lists no required binaries or install, while the SKILL.md metadata explicitly requires the 'mcporter' binary and suggests installing the npm package 'mcporter' — an inconsistency between declared registry requirements and the runtime instructions.
The instructions confine the agent to using the mcporter CLI (list, call, auth, config, daemon, generate). They do reference a default config path (./config/mcporter.json) and show examples that run arbitrary stdio commands (e.g., `mcporter call --stdio "bun run ./server.ts"`) — which means the CLI can be used to execute or pipe arbitrary subprocess activity. The SKILL.md does not instruct the agent to read unrelated system files or environment variables, but the ability to run arbitrary commands and to perform auth means the agent could cause local execution or create/store credentials.
The registry claimed 'no install spec', but SKILL.md metadata includes an install hint: a Node/npm package 'mcporter' (kind: node). Installing from npm is common but carries moderate risk compared with no install; npm packages can contain arbitrary code. The install source is a package name (npm-style), not a direct arbitrary URL, which is more traceable, but you should verify the package and its publisher before installing.
The skill declares no required environment variables or primary credential. That is proportionate to an instruction-only CLI wrapper. However the SKILL.md documents auth commands and a local config path where credentials (OAuth tokens, API keys) may be stored (./config/mcporter.json by default). Because the skill can run auth flows and write a config file, it may end up storing secrets locally even though none are declared up front — users should be aware and inspect where credentials are kept.
always:false and no install-time modifications to other skills are present. The skill does not require permanent platform-wide presence. Note that the skill (like all skills) can be invoked autonomously by the agent (disable-model-invocation:false), so if you permit autonomous use the agent could call mcporter commands without further prompts.
Guidance
This skill appears to be a CLI helper for the mcporter tool and is mostly coherent, but pay attention to the following before installing: 1) Metadata mismatch — the registry record shows no install/bin requirements while SKILL.md expects the 'mcporter' binary and offers an npm install; confirm which is accurate. 2) The SKILL.md examples include --stdio and running arbitrary commands (e.g., bun run ./server.ts), so the CLI can be used to execute or proxy arbitrary subprocesses — only allow it in trusted/sandboxed environments. 3) Auth flows will likely store tokens in a local config (./config/mcporter.json) — inspect and lock that file and avoid giving broad platform credentials. 4) The install suggestion is an npm package; review the npm package page, author, source repo, and recent releases before installing. 5) If you allow the agent to invoke this skill autonomously, consider restricting what credentials the agent has access to and test the CLI manually first to understand its behavior.
Latest Release
v1.0.0
More by @steipete
Published by @steipete on ClawHub
