metacomp_visionx_kyt 安全扫描报告 — 低风险 | ClawSafe

20 /100

metacomp_visionx_kyt

Check Web3 wallet or transaction security using MetaComp VisionX KYT (Know-Your-Transaction) analysis via MCP server

A straightforward Web3 security analysis skill that uses an MCP server for KYT (Know-Your-Transaction) blockchain analysis with no hidden functionality or malicious behavior detected.

技能名称metacomp_visionx_kyt

分析耗时28.1s

引擎pi

✓

可以安装

Approve for use. The skill is well-documented and performs a legitimate security analysis function. Minor concern: API token passed as CLI arg (logged in process listings), but this is standard practice for MCP servers.

安全发现 2 项

严重性	安全发现	位置
低危	API token visible in process arguments The setup guide shows passing the API token directly as a CLI argument to the npx command, which means the token may be visible in process listings (ps aux). This is a minor operational security concern but is standard practice for MCP server configuration. `"args": ["-y", "--package", "@metacomp/visionx-kyt-mcp", "visionx-kyt-mcp", "--token", "YOUR_API_KEY"]` → Consider documenting that users should use environment variable passing or secrets management if the MCP framework supports it.	`SKILL.md:165`
低危	External URL references The skill references external URLs (metacomp.ai, github.com) for installation and setup. These are standard for legitimate open-source tools but represent a dependency on external infrastructure. `homepage: https://github.com/metacomp-ai/remote-mcp` → Users should verify URLs before following installation instructions.	`SKILL.md:5`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: Only requires reading the skill file itself
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: Uses MCP server for API calls to blockchain analysis services
命令执行	`NONE`	`NONE`	—	SKILL.md: No subprocess/bash declarations
技能调用	`WRITE`	`WRITE`	✓ 一致	SKILL.md: Explicitly invokes get_wallet_security and get_transaction_security MC…
浏览器	`NONE`	`NONE`	—	SKILL.md: No browser tool references
剪贴板	`NONE`	`NONE`	—	SKILL.md: No clipboard access
数据库	`NONE`	`NONE`	—	SKILL.md: No database access
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: Requires METACOMP_TOKEN env var, reads it for MCP server configuration

1 项发现

🔗

中危外部 URL 外部 URL

https://www.metacomp.ai

SKILL.md:5

目录结构

1 文件 · 16.5 KB · 417 行

Markdown 1f · 417L

└─ 📝 SKILL.md Markdown 417L · 16.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@metacomp/visionx-kyt-mcp`	`*`	npm	否	Version not pinned, installed via npx

安全亮点

✓ No shell/script execution capabilities declared or inferred

✓ No file system write operations required beyond reading the skill file

✓ No credential harvesting or exfiltration detected

✓ No base64-encoded payloads or obfuscated code present

✓ No sensitive path access (ssh, aws, .env files)

✓ Skill uses a well-defined, scoped MCP server (@metacomp scope) for blockchain analysis

✓ Clear documentation of tool behavior and output format

✓ No reverse shell, C2, or data theft indicators

✓ All capability declarations match actual implementation requirements