metacomp_visionx_kyt Security Report — Low Risk | ClawSafe

20 /100

metacomp_visionx_kyt

Check Web3 wallet or transaction security using MetaComp VisionX KYT (Know-Your-Transaction) analysis via MCP server

A straightforward Web3 security analysis skill that uses an MCP server for KYT (Know-Your-Transaction) blockchain analysis with no hidden functionality or malicious behavior detected.

Skill Namemetacomp_visionx_kyt

Duration28.1s

Enginepi

✓

Safe to install

Approve for use. The skill is well-documented and performs a legitimate security analysis function. Minor concern: API token passed as CLI arg (logged in process listings), but this is standard practice for MCP servers.

Findings 2 items

Severity	Finding	Location
Low	API token visible in process arguments The setup guide shows passing the API token directly as a CLI argument to the npx command, which means the token may be visible in process listings (ps aux). This is a minor operational security concern but is standard practice for MCP server configuration. `"args": ["-y", "--package", "@metacomp/visionx-kyt-mcp", "visionx-kyt-mcp", "--token", "YOUR_API_KEY"]` → Consider documenting that users should use environment variable passing or secrets management if the MCP framework supports it.	`SKILL.md:165`
Low	External URL references The skill references external URLs (metacomp.ai, github.com) for installation and setup. These are standard for legitimate open-source tools but represent a dependency on external infrastructure. `homepage: https://github.com/metacomp-ai/remote-mcp` → Users should verify URLs before following installation instructions.	`SKILL.md:5`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Only requires reading the skill file itself
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Uses MCP server for API calls to blockchain analysis services
Shell	`NONE`	`NONE`	—	SKILL.md: No subprocess/bash declarations
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Explicitly invokes get_wallet_security and get_transaction_security MC…
Browser	`NONE`	`NONE`	—	SKILL.md: No browser tool references
Clipboard	`NONE`	`NONE`	—	SKILL.md: No clipboard access
Database	`NONE`	`NONE`	—	SKILL.md: No database access
Environment	`READ`	`READ`	✓ Aligned	SKILL.md: Requires METACOMP_TOKEN env var, reads it for MCP server configuration

1 findings

🔗

Medium External URL 外部 URL

https://www.metacomp.ai

SKILL.md:5

File Tree

1 files · 16.5 KB · 417 lines

Markdown 1f · 417L

└─ 📝 SKILL.md Markdown 417L · 16.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@metacomp/visionx-kyt-mcp`	`*`	npm	No	Version not pinned, installed via npx

Security Positives

✓ No shell/script execution capabilities declared or inferred

✓ No file system write operations required beyond reading the skill file

✓ No credential harvesting or exfiltration detected

✓ No base64-encoded payloads or obfuscated code present

✓ No sensitive path access (ssh, aws, .env files)

✓ Skill uses a well-defined, scoped MCP server (@metacomp scope) for blockchain analysis

✓ Clear documentation of tool behavior and output format

✓ No reverse shell, C2, or data theft indicators

✓ All capability declarations match actual implementation requirements

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives