🇨🇴 MCP Colombia — 哥伦比亚服务集成
v1.0.9通过 MCP 协议聚合哥伦比亚本地服务,集成 Soulprint 身份验证,可在敏感操作前快速核验哥伦比亚用户身份,一站式对接政府、金融等多类本地 API,提升合规与效率。
4· 482·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is plausible for aggregating Colombian services, but take precautions before installing: 1) Inspect the npm package source and the linked GitHub repo — npx will fetch and run code from the public registry. 2) Expect network calls to third-party services (Booking.com scraping, Brave Search, Awin affiliates, and a Soulprint validator hosted on railway.app). 3) The SKILL.md references BRAVE_API_KEY and affiliate tokens but the skill metadata doesn't declare them — ask the author which en...详细分析 ▾
ℹ 用途与能力
The described capabilities (MercadoLibre, Booking.com scraping, flight searches, financial simulators, job applications, Soulprint identity checks) align with requiring a Node-based MCP server. Requiring node/npx is coherent. However, the SKILL.md references external API keys (BRAVE_API_KEY) and affiliate usage (Awin) that are not declared in the skill metadata, and the SKILL.md lists a different package version (1.3.0) than the registry metadata (1.0.9). These mismatches reduce confidence that the declared requirements fully describe what the skill needs.
ℹ 指令范围
Instructions tell the agent/operator to run the package with npx and enumerate many tools that perform live web scraping (JSON-LD extraction from Booking.com), search via Brave (conditional on BRAVE_API_KEY), and performing job applications which may submit user CVs or links. The SKILL.md reads an MCP capability token (x-soulprint-token) for identity checks. The scope is generally consistent with the purpose, but it includes actions that involve sending user-supplied personal data to external services and querying a third-party validator node (railway.app), so users should expect network calls and potential data transmission.
⚠ 安装机制
There is no platform-level install spec; the SKILL.md instructs running 'npx -y mcp-colombia-hub', which will fetch and execute code from the npm registry at runtime. Executing remote npm packages is a legitimate delivery method for such adapters, but it means arbitrary code from the public registry will run on the host. The SKILL.md does point to an npm page and a GitHub repo, which helps traceability, but you should review the package source before running it.
⚠ 凭证需求
The skill metadata declares no required environment variables, but the SKILL.md references BRAVE_API_KEY (for flight price lookups) and expects an 'x-soulprint-token' capability. BRAVE_API_KEY and any affiliate keys (Awin) are not declared as required/optional env vars. That mismatch is important: the skill will behave differently if those keys are present and may attempt to use them, so the declared environment requirements are incomplete.
✓ 持久化与权限
The skill does not request persistent or elevated platform privileges. always is false, autonomous invocation is allowed (the default), and there is no instruction to modify other skills or global agent configuration. This is expected for a user-invocable MCP adapter.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.92026/2/24
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install mcp-colombia
镜像加速npx clawhub@latest install mcp-colombia --registry https://cn.longxiaskill.com