Security Audit

mcp-registry-manager

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

mcp-registry-manager received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 4 medium, and 0 low severity. Key findings include Missing required field: name, Suspicious import: requests, Unsafe extraction of untrusted archives (Path Traversal).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

41%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

2 findings

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Unsafe extraction of untrusted archives (Path Traversal) The `install_server` function downloads content from `server.url` (which originates from potentially untrusted external sources like GitHub search or other registries) and attempts to extract it as a gzipped tarball using `tar.extractall`. This method is highly vulnerable to path traversal attacks (e.g., 'Zip Slip'). A malicious archive could contain entries like `../../../../etc/passwd`, allowing an attacker to write files to arbitrary locations on the user's filesystem outside the intended installation directory (`~/.openclaw/workspace/mcp-servers`). This can lead to arbitrary code execution, system compromise, or data corruption. Implement safe extraction by validating each member's path before extraction. Ensure that each extracted file's path resolves strictly within the target `install_path`. A common pattern involves checking `member.name` for `..` or absolute paths and raising an error if found. Alternatively, use a secure extraction utility or implement a custom extraction loop that explicitly checks and sanitizes paths.	LLM	scripts/mcp-registry.py:235
HIGH	Excessive write permissions due to unsafe archive extraction The skill is designed to install MCP servers into a subdirectory within the user's home directory (`~/.openclaw/workspace/mcp-servers`). However, the use of `tar.extractall` without proper path validation on archives downloaded from untrusted sources grants the skill excessive write permissions. This allows a malicious archive to write files to any location on the filesystem where the user running the script has write access, not just within the designated `install_path`. This significantly amplifies the impact of the command injection vulnerability, potentially leading to widespread system compromise. Restrict the write scope by implementing strict path validation during archive extraction. Ensure that all extracted files are confined to the intended `install_path` and cannot traverse outside of it. This directly mitigates the risk of arbitrary file writes to sensitive system locations.	LLM	scripts/mcp-registry.py:225
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/orosha-ai/mcp-registry-manager/SKILL.md:1
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/orosha-ai/mcp-registry-manager/scripts/mcp-registry.py:20
MEDIUM	Unpinned Python dependencies in installation instructions The installation instructions in `SKILL.md` specify Python dependencies (`requests`, `sentence-transformers`, `numpy`, `pandas`) without pinning them to specific versions. This introduces a supply chain risk, as future updates to these packages could introduce vulnerabilities, breaking changes, or even malicious code. Unpinned dependencies make the build non-deterministic and harder to reproduce securely. Pin all dependencies to specific, known-good versions (e.g., `requests==2.28.1`). It is best practice to use a `requirements.txt` file with exact versions generated via `pip freeze > requirements.txt` after verifying the working environment.	LLM	SKILL.md:104
MEDIUM	Unverified machine learning model download The script automatically downloads the `all-MiniLM-L6-v2` machine learning model from an external source (typically Hugging Face) without any integrity verification (e.g., checksums or cryptographic signatures). This introduces a supply chain risk: if the model repository or the download infrastructure is compromised, a malicious model could be served, potentially leading to arbitrary code execution or data manipulation when the model is loaded and used. Implement integrity checks for downloaded models, such as comparing a cryptographic hash (SHA256) of the downloaded file against a known good hash. Consider using a trusted, verified source for models or hosting them internally with strict access controls.	LLM	scripts/mcp-registry.py:46

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/e069da2181427fa2.svg)](https://skillshield.io/report/e069da2181427fa2)