shaper Security Report — Low Risk | ClawSafe

15 /100

shaper

Connect to a Shaper (useshaper.com) workspace via MCP to execute Shape Up methodology as an AI agent.

This is a documentation-only skill that provides curl commands for interacting with a legitimate project management service (Shaper/useshaper.com) via MCP. No executable scripts or code files exist. Network access is declared and necessary for the stated functionality.

Skill Nameshaper

Duration26.9s

Enginepi

✓

Safe to install

The skill is safe to use as documented. Monitor for any attempts to use the agent_register capability in unexpected ways, as it allows autonomous workspace creation without authentication.

Findings 1 items

Severity	Finding	Location
Low	agent_register allows unauthenticated workspace creation Doc Mismatch The agent_register tool can create provisional workspaces autonomously without requiring an API key. While documented, this could theoretically be abused to create workspaces for data exfiltration. `agent_register: Create a provisional workspace autonomously. No API key needed.` → Monitor usage patterns of agent_register. Consider if a future version should require user confirmation for workspace creation.	`SKILL.md:82`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:39 - POST to useshaper.com/mcp
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:18-19 - reads SHAPER_API_KEY and SHAPER_WORKSPACE_SLUG
Filesystem	`NONE`	`NONE`	—	No file operations in the skill
Shell	`NONE`	`NONE`	—	No shell scripting - only curl command examples in docs
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation

3 findings

🔗

Medium External URL 外部 URL

https://useshaper.com/

SKILL.md:16

🔗

Medium External URL 外部 URL

https://useshaper.com/mcp

SKILL.md:39

🔗

Medium External URL 外部 URL

https://useshaper.com/.well-known/mcp.json

SKILL.md:88

File Tree

2 files · 5.7 KB · 219 lines

Markdown 2f · 219L

├─ ▾ 📁 references

│ └─ 📝 tools.md Markdown 131L · 2.8 KB

└─ 📝 SKILL.md Markdown 88L · 3.0 KB

Security Positives

✓ No executable code or scripts - pure documentation

✓ Network access is fully declared and matches stated purpose

✓ API key handling via environment variables is appropriate

✓ No obfuscation or suspicious patterns

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No base64-encoded payloads or dynamic code execution

✓ No credential harvesting beyond the single declared API key

✓ All functionality aligns with documented project management use case

Scan Report

Findings 1 items

File Tree

Security Positives