by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to provide the advertised EPA/HUD data, but it does so by instructing your agent to add a third-party MCP endpoint (environmental-compliance-mcp.apify.actor). Before installing, verify the external service: review the referenced GitHub repo and the apify actor, confirm you trust that endpoint, and understand what data will be sent there. If you prefer not to route queries through a proxy, consider implementing a skill that calls the official EPA/HUD APIs directly or run the mc...详细分析 ▾
ℹ 用途与能力
The name/description (EPA air quality + HUD foreclosures) matches the declared tools and parameters. Requesting the mcporter binary is coherent if the agent needs to register MCP servers. However the skill routes calls through a third-party MCP server (environmental-compliance-mcp.apify.actor) rather than calling government APIs directly; that proxying is not explained and is notable.
⚠ 指令范围
SKILL.md tells the agent to run `mcporter add ...` or to edit `~/.openclaw/mcp.json` to add the remote server. The instructions therefore modify a user config file and will direct queries to an external apify.actor endpoint. The skill does not instruct reading any unrelated local files or env vars, but the implicit change to the MCP config (a user-level config path) is not declared in the skill metadata and may persistently redirect agent traffic.
✓ 安装机制
This is an instruction-only skill with no install spec or code files, so nothing is written by the skill itself. That is the lowest-risk install model. The only runtime dependency declared is the mcporter binary, which is reasonable for registering MCP servers.
ℹ 凭证需求
No environment variables or credentials are requested, which is appropriate. However, the skill's runtime relies on a remote third-party MCP service (apify.actor) to fulfill queries; this means user queries and potentially query context will be sent to that external host — a privacy/consent consideration even though no secrets are requested.
ℹ 持久化与权限
The SKILL.md explicitly shows adding an entry to `~/.openclaw/mcp.json`, which will persistently register a remote server for future agent runs. The skill itself does not request always:true or system-level privileges, but it does instruct a persistent modification to the user's agent config. That persistent registration increases the blast radius if the remote endpoint is untrusted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/28
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install gov-environment
镜像加速npx clawhub@latest install gov-environment --registry https://cn.longxiaskill.com