mcporter

This skill's documentation and metadata describe a CLI (mcporter) that legitimately needs broad capabilities: making HTTP calls, performing OAuth, editing local config, and optionally launching ad-hoc servers via stdio. The primary risks are operational rather than covert malicious code in this fragment: running user-provided commands (stdio) allows arbitrary code execution if untrusted input reaches the CLI; local config likely stores credentials which should be protected; and installing the mcporter npm package is a supply-chain risk if package sources or versions are not pinned. There is no explicit evidence in the provided content of hidden backdoors, obfuscated code, remote exfiltration to attacker-controlled domains, or download-and-execute instructions. Overall, the fragment appears functionally coherent with its stated purpose but carries moderate supply-chain and operational risk due to execution and credential handling capabilities. Recommend reviewing the actual mcporter package contents and install sources, auditing how tokens are stored, and restricting use of --stdio and automated agent access.