False positive: predictfun-mcp flagged as suspicious #790
Description
Skill
- Slug:
predictfun-mcp - Owner:
@PaulieB14 - URL: https://clawhub.ai/PaulieB14/predictfun-mcp
- Version: 0.5.0 (0.5.1 pending publish due to rate limit)
- Source: https://github.com/PaulieB14/predictfun-subgraphs/tree/main/mcp-server
What the skill does
This is an MCP server that gives AI agents structured access to Predict.fun prediction market data on BNB Chain. It exposes 14 tools for platform stats, market analysis, trader profiling, yield mechanics, and behavioral meta-tools, all powered by 3 subgraphs on The Graph.
Expected flags and why they are false positives
-
"Environment variable access combined with network send" — The server reads
process.env.GRAPH_API_KEY(required, for The Graph Gateway queries) andprocess.env.MCP_HTTP_PORT(optional, for SSE transport). Both are standard patterns: the API key is needed to query The Graph, and the port config is standard MCP dual transport. Both are now explicitly documented in SKILL.md. -
npx launch mechanism — Standard for npm-published MCP servers.
-
Network requests to gateway.thegraph.com — All tool calls make GraphQL requests to The Graph Gateway using the user's own API key. Subgraph IDs are hardcoded in the server. This is the core functionality and is documented in SKILL.md.
-
GRAPH_API_KEY env var — Required and now explicitly declared in SKILL.md under "Requirements." This is the user's own Graph API key (free at thegraph.com/studio). The server does not store, forward, or exfiltrate this key — it is only used as a bearer token in Graph Gateway requests.
-
HTTP/SSE transport on local port — Opt-in via
--httpor--http-only. Default port 3850, configurable viaMCP_HTTP_PORT.
Why this is a false positive
- Reading an API key from env and sending it to the intended API is the normal operation of any API client
- No secrets are collected, stored, or forwarded to unrelated services
- SSE transport is opt-in and uses the standard MCP SDK
- All behavior is documented in SKILL.md under "Requirements" and "Network & Data Behavior"