github not analyzable

hith3sh/clawlink

MCP server connecting AI agents to 100+ apps (Gmail, Slack, Notion, GitHub) via one-click OAuth.

maintainer: hith3sh
license: —
first seen: 2026-06-03
last seen: 2026-06-03
releases · 30d: 0
short id

risk insufficient evidence

Insufficient evidence to grade. This server's source has not been statically analyzed, so a low grade would only mean "nothing found", not "nothing there". We don't show a reassuring grade we can't stand behind. Attested signals (CVEs, provenance) below still apply.

Once the source is analyzed (see the analysis flag in the header), a graded score appears here. How analysis works: methodology.

graded 10m ago · see ecosystem CVEs →

capability exposure grade factor +35

Inferred surface — each links to servers holding it:

vulnerabilities 0 CVEs

No known CVEs for this server.

tool safety 1 findings · grade factor +0

highdangerous code
env-secret-flows-to-network-js: A process environment value (often a secret/token) flows into a network call — possible credential exfiltration. (/tmp/obs-code-R7sLmY/ClawLink-HQ-c

skills & danger signals github-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed analyzer v17 · 3d ago

skills & prompt files 116

danger signals8

suspicious endpointapi.telegram.orgClawLink-HQ-clawlink-b7fa417/src/app/api/feedback/route.ts:75`https://api.telegram.org/bot${botToken}/sendPhoto`,
over-broad OAuth scopehttps://mail.google.com/ClawLink-HQ-clawlink-b7fa417/scripts/audit-composio-scopes.mjs:206"https://mail.google.com/": [
over-broad OAuth scopegmail.modifyClawLink-HQ-clawlink-b7fa417/scripts/audit-composio-scopes.mjs:208"https://www.googleapis.com/auth/gmail.modify",
over-broad OAuth scopehttps://www.googleapis.com/auth/driveClawLink-HQ-clawlink-b7fa417/scripts/audit-composio-scopes.mjs:219"https://www.googleapis.com/auth/drive": [
over-broad OAuth scopehttps://www.googleapis.com/auth/spreadsheetsClawLink-HQ-clawlink-b7fa417/scripts/audit-composio-scopes.mjs:228"https://www.googleapis.com/auth/spreadsheets": [
over-broad OAuth scopehttps://www.googleapis.com/auth/documentsClawLink-HQ-clawlink-b7fa417/scripts/audit-composio-scopes.mjs:232"https://www.googleapis.com/auth/documents": [
over-broad OAuth scopeadmin:orgClawLink-HQ-clawlink-b7fa417/src/data/integrations.ts:2666{ name: "github_add_or_update_team_project_permissions", description: "Adds a classic project to a team or updates the team's permission on it. This endpoint grants or updates permissions for a team o
over-broad OAuth scopeadmin:orgClawLink-HQ-clawlink-b7fa417/src/generated/composio-manifests/github.generated.ts:217description: "Adds a classic project to a team or updates the team's permission on it. This endpoint grants or updates permissions for a team on a specific classic project (not Projects V2). The authe

embed badge readme-ready

[![MCP Observatory risk grade](https://mcpobservatory.com/servers/github:hith3sh/clawlink/badge.svg)](https://mcpobservatory.com/servers/github:hith3sh/clawlink/security)

Heuristic, inferred signals — false positives (legitimately powerful tools, forks, language ports) are expected. Treat each as "review this", not a verdict. See the ecosystem-wide picture on the security hub, or the fleet security of hith3sh.

hith3sh/clawlink

skills & prompt files 116

danger signals8

Navigate

Stream

Display