Public audit · 2026-04-24

Klavis-AI/klavis

Overall: F (0/100) · v0.2 scan · 6 axes · LLM prompt-injection probe

SkillAudit report — Klavis-AI/klavis

Scanned 2026-04-24 by SkillAudit v0.2 (static checks + LLM-assisted prompt-injection red-team).

Commit: 9ab5070 · Stars: 5716 · Days since last push: 0

LLM prompt-injection probe: skipped — set ANTHROPIC_API_KEY to enable the LLM-assisted prompt-injection red-team

Overall grade: F (0/100)

Axis	Score	Grade
security	0/100	F	❌
permissions	100/100	A	✅
credentials	0/100	F	❌
maintenance	90/100	A	✅
compatibility	70/100	C	⚠️
docs	100/100	A	✅

Security findings

Production sources:

HIGH examples/openai-klavis/strata-python/requests_main.py:29 — HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file

response = requests.post(url, headers=self.headers, json=payload)

HIGH examples/openai-klavis/strata-python/requests_main.py:37 — HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file

response = requests.post(url, headers=self.headers, json=payload)

HIGH examples/openai-klavis/strata-python/requests_main.py:45 — HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file

response = requests.post(url, headers=self.headers, json=payload)

HIGH examples/openai-klavis/strata-python/requests_main.py:168 — HTTP client call with user-controlled argument 'openai_url' — no URL allowlist / validation found in file

response = requests.post(openai_url, headers=openai_headers, json=payload)

WARN mcp_servers/12306/src/index.ts:286 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await axios.get(url, {

WARN mcp_servers/12306/src/index.ts:775 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await axios.get(url + '?' + scheme.toString(), {

HIGH mcp_servers/attio/index.ts:41 — HTTP client call with user-controlled argument 'url' — no URL allowlist / validation found in file

const response = await fetch(url, {

WARN mcp_servers/brave_search_atlas/index.ts:188 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await fetch(url, {

WARN mcp_servers/brave_search_atlas/index.ts:220 — HTTP client call with user-controlled argument 'webUrl' (validation markers present but not verified against this call-site)

const webResponse = await fetch(webUrl, {

WARN mcp_servers/brave_search_atlas/index.ts:251 — HTTP client call with user-controlled argument 'url' (validation markers present but not verified against this call-site)

const response = await fetch(url, {

Test-site findings (lower weight): 5 total in test/ paths — first 3 shown

HIGH mcp_servers/notion_atlas/src/openapi-mcp-server/client/__tests__/http-client.integration.test.ts:29 — Template-string URL with interpolation — no validation possible on composed string

const response = await axios.get(\${BASE_URL}/openapi.json\)

HIGH mcp_servers/notion_mcpmark/src/openapi-mcp-server/client/__tests__/http-client.integration.test.ts:29 — Template-string URL with interpolation — no validation possible on composed string

const response = await axios.get(\${BASE_URL}/openapi.json\)

HIGH mcp_servers/notion_toolathlon/src/openapi-mcp-server/client/__tests__/http-client.integration.test.ts:29 — Template-string URL with interpolation — no validation possible on composed string

const response = await axios.get(\${BASE_URL}/openapi.json\)

Permissions

_No findings on this axis._

Credentials

Production sources:

HIGH docs/mcp-server/stripe.mdx:80 — Hardcoded Stripe test secret found in source

sk_test_*** (Stripe test secret, 35 chars)

HIGH docs/mcp-server/stripe.mdx:86 — Hardcoded Stripe test secret found in source

sk_test_*** (Stripe test secret, 35 chars)

HIGH docs/mcp-server/stripe.mdx:145 — Hardcoded Stripe test secret found in source

sk_test_*** (Stripe test secret, 35 chars)

HIGH mcp_servers/README.md:35 — Hardcoded GitHub personal access token found in source

ghp_*** (GitHub personal access token, 26 chars)

HIGH mcp_servers/github/README.md:38 — Hardcoded GitHub personal access token found in source

ghp_*** (GitHub personal access token, 26 chars)

HIGH mcp_servers/shopify/index.ts:1171 — console.* of process.env — entire env leaks to stdout/stderr and LLM context

console.log(\server running on port ${process.env.PORT || 5000}\);

HIGH mcp_servers/slack/.env.example:8 — Hardcoded Slack bot token found in source

xoxb-*** (Slack bot token, 24 chars)

HIGH mcp_servers/slack/.env.example:12 — Hardcoded Slack user token found in source

xoxp-*** (Slack user token, 25 chars)

HIGH mcp_servers/woocommerce_toolathlon/src/server.ts:1236 — console.* of process.env — entire env leaks to stdout/stderr and LLM context

console.log(\Connected to: ${process.env.WORDPRESS_SITE_URL}\);

WARN examples/agno-klavis/.env.example — .env file present in repo tree — verify it's a template, not real secrets

examples/agno-klavis/.env.example

Test-site findings (lower weight): 20 total in test/ paths — first 3 shown

HIGH mcp_servers/github_official/pkg/http/middleware/pat_scope_test.go:69 — Hardcoded GitHub personal access token found in source

ghp_*** (GitHub personal access token, 40 chars)

HIGH mcp_servers/github_official/pkg/http/middleware/pat_scope_test.go:80 — Hardcoded GitHub personal access token found in source

ghp_*** (GitHub personal access token, 40 chars)

HIGH mcp_servers/github_official/pkg/http/middleware/pat_scope_test.go:91 — Hardcoded GitHub personal access token found in source

ghp_*** (GitHub personal access token, 40 chars)

Maintenance

Production sources:

WARN (meta) — 238 open issues — triage backlog

238 open

Compatibility

Production sources:

WARN (meta) — No engines (Node) or python_requires declared — cross-client compatibility unverified

Documentation

_No findings on this axis._

Methodology

SkillAudit v0.2 clones the repo at the provided ref (default: default branch, HEAD) into an ephemeral sandbox, runs six static checks over .js/.ts/.py sources, queries the GitHub API for maintenance signals, and runs an LLM-assisted prompt-injection red-team over the MCP tool surface. Each axis is scored against the rubric at .

The prompt-injection axis extracts each server.tool(...) / @app.tool registration + the first ~60 lines of handler body, hands them to Claude Haiku 4.5 with a red-team system prompt, and asks for structured findings on untrusted-content flow into tool responses. One API call per scan, bounded at ~15K input tokens.

How to improve this grade

Security — static: validate tool-input URLs against an allowlist before fetch/axios calls; use execFile with argv arrays instead of exec with template strings; never pass untrusted strings to subprocess with shell=True.
Security — prompt injection: never return fetched web-page / file / email content verbatim in a tool response. Wrap with a framing marker (e.g., <untrusted-content>...</untrusted-content>), summarize rather than inline, and never let untrusted content share a turn with credentials or other tool output.
Credentials findings: redact env-var reads before log lines and error messages; treat any string that ends up in a tool response as public.
Maintenance: if the repo is inactive, document the maintenance model — "MCP tool, no breaking changes expected" is a legitimate signal.
Docs: add a README install + usage section with a copy-pasteable command; add a SECURITY.md with a disclosure channel.

_Report generated by skillaudit.dev_

Want your repo audited?

First 100 audits go to waitlist signups in order. The engine runs against public GitHub URLs today.

Join the waitlist →