slides-generation-skills

clawhub:slides-generation-skills

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Shell metacharacters in MCP config args MCPCFG_002

mcp-config L309

Detects shell metacharacters (pipes, backticks, subshells) in MCP server command arguments

"args": ["2slides-mcp"]`

FIX

Remove credentials (API keys, tokens, passwords) from MCP server configuration. Use environment variable references (e.g., ${API_KEY}) or a secrets manager instead of inline values.

FP?

Likely FP if the credential value is a placeholder (e.g., your-api-key-here, sk_test_xxx) in example configuration.

LOW

npx MCP server without version pin MCPCFG_001

mcp-config L309

Detects MCP server configs using npx to run packages without version pinning

"command": "npx"

FIX

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

FP?

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.