Pluginv0.2.5

ClawScan security

KeplerPlugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 7:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (connects an agent to Kepler to save/recall links) but includes runtime behavior that is not fully declared (remote script execution, local OAuth token persistence) and an odd redundancy that warrants caution.
Guidance: This plugin appears to implement a legitimate Kepler MCP proxy so agents can save and search links, but take these cautions before installing: 1) The bundle includes a Python MCP proxy that will persist OAuth tokens to ~/.fastmcp and may open a callback port; expect OAuth browser flows and local token files. 2) .mcp.json points at a raw GitHub URL to 'uv run' a remote script — running code fetched at runtime is risky; prefer running the bundled copy or verifying the remote source yourself. 3) Verify you trust https://app.keplerbrowser.com as the MCP endpoint and review Kepler's privacy policy before granting access. 4) If you need lower risk, ask the publisher why the remote-run URL is present (when the same script is packaged) and request explicit documentation on the OAuth behavior and what is stored locally.

Review Dimensions

Purpose & Capability: noteThe plugin's name/description (save and recall links) matches the included tools and the mcp-proxy server that proxies to Kepler's MCP endpoint. However .mcp.json references running a remote raw GitHub script while the same script is also packaged locally — this redundancy is unexplained and unusual.
Instruction Scope: noteSKILL.md instructs the agent to call Kepler MCP tools (add_link, list_spaces, search_links) which is in-scope. It does not document that the MCP proxy will persist OAuth tokens to the user's home directory (~/.fastmcp/...) or that an OAuth flow (possibly opening a callback port) may be performed; those behaviors appear only in mcp-proxy-server.py.
Install Mechanism: concern.mcp.json contains a command to run a remote script using `uv run https://raw.githubusercontent.com/.../mcp-proxy-server.py`. Executing code fetched at runtime from a raw GitHub URL is a higher-risk pattern (remote arbitrary code execution). Although the same script is included in the bundle, the presence of a remote-run URI is unexpected and increases risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable for a plugin. The packaged server code, however, will read optional environment variables (KEPLER_MCP_URL, KEPLER_MCP_SERVER_NAME, KEPLER_OAUTH_TOKEN_DIR, KEPLER_OAUTH_CALLBACK_PORT) and will persist OAuth tokens under ~/.fastmcp by default. That persistent token storage is proportionate to an OAuth proxy but is not documented in SKILL.md or metadata.
Persistence & Privilege: noteThe skill does not request always:true and does not require elevated OS privileges. It will create token files under the user's home (~/.fastmcp/oauth-mcp-client-cache) and may run a local proxy process; this is persistent state and network connectivity but limited to its own token storage and runtime.