Pluginv0.2.4

ClawScan security

KeplerPlugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 7:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (saving/recalling links via a Kepler MCP server) is coherent, but there are mismatches: it fetches/executes remote code via .mcp.json, reads and writes OAuth token files in the user's home without declaring those config paths or env vars, and the repository contains both a local server script and a .mcp.json that runs a remote copy — these issues merit caution.
Guidance: This plugin appears to do what it claims (save and recall links through Kepler), but there are a few red flags to consider before installing: - Remote code execution: .mcp.json would run a script directly from a raw GitHub URL (uv run https://raw.githubusercontent.com/...). Running code fetched at runtime is higher risk — review the exact remote script version and prefer running the included local copy if you trust it. - Undeclared env vars and file writes: the proxy script reads KEPLER_* environment variables and writes OAuth tokens to ~/.fastmcp/oauth-mcp-client-cache by default. Those storage and env behaviors are not declared in the metadata or SKILL.md. - Duplication/inconsistency: the repository includes mcp-proxy-server.py locally but .mcp.json points at a remote copy. Confirm which will be executed. - If you proceed: inspect the local mcp-proxy-server.py yourself, run in a sandboxed environment or container, and verify the target KEPLER_MCP_URL before authorizing OAuth. If you do not trust app.keplerbrowser.com or the remote script, do not grant OAuth or allow the remote-run behavior. If you want higher assurance, ask the publisher for a signed release, a canonical install method, or explicit documentation of the env vars and where credentials are stored.

Review Dimensions

Purpose & Capability: noteThe stated purpose (save/recall links via a Kepler MCP server) aligns with the included code and SKILL.md tools (add_link, search_links, list_spaces). Acceptable for the plugin to perform OAuth and contact a kepler MCP endpoint. Minor inconsistency: the bundle contains a local mcp-proxy-server.py and .mcp.json points to a remote raw GitHub URL for the same script (duplication that could lead to executing remote code instead of the local file).
Instruction Scope: concernSKILL.md instructions are narrowly scoped to Kepler tool usage, but the runtime file (mcp-proxy-server.py) reads environment variables (KEPLER_MCP_URL, KEPLER_MCP_SERVER_NAME, KEPLER_OAUTH_TOKEN_DIR, KEPLER_OAUTH_CALLBACK_PORT) and will create token storage under the user's home (~/.fastmcp/...) — none of these env vars or config path side-effects are declared in the skill metadata or SKILL.md.
Install Mechanism: concernThere is no formal install spec, but .mcp.json instructs 'uv run' on a raw.githubusercontent.com URL, which would fetch and execute remote Python code at runtime. Running code directly from a raw URL is higher risk even if the host is GitHub; combined with the local copy of the same script, this is an inconsistency worth reviewing before installation.
Credentials: noteThe skill does not declare required env vars, yet the proxy script uses several env vars to override MCP URL, server name, OAuth token directory, and callback port. The script will persist OAuth tokens to a directory in the user's home (default ~/.fastmcp/oauth-mcp-client-cache). These behaviors are proportional to an OAuth-based connector, but they are not surfaced in the metadata and grant persistent local storage of credentials.
Persistence & Privilege: notealways:false (no forced persistence). However, the proxy will create and persist OAuth token files in the user's home directory by default. The skill does not request or modify other skills' configs and lacks an explicit install step, but it can cause persistent files to be written locally and may spawn an OAuth callback listener depending on configuration.