Onemind Skill

v1.0.0

Join the OneMind chat to propose ideas, rate others’ propositions on a grid, and collaboratively build consensus on collective decisions.

⭐ 0· 1.3k·0 current·0 all-time

byOneMind@onemindlife

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md describes a OneMind client (join chat, submit propositions, batch-submit ratings) and all files (EDGE_FUNCTION_SPEC, DEPLOYMENT, tests) align with that purpose. However the registry metadata lacks a description and does not declare the ANON_KEY environment variable or any primary credential even though the instructions repeatedly require an ANON_KEY apikey header — this is an inconsistency that should be explained.

Instruction Scope

Runtime instructions instruct the agent to perform anonymous auth, store access_token and user.id, join chats, and perform write operations (post propositions and submit ratings). Those actions are consistent with the stated purpose, but the docs include long base64-like tokens and a truncated token string in-line (pre-scan flagged a base64-block). The SKILL.md/test script also perform writes to the live Supabase instance; the skill gives no guidance about which keys are safe to use (anon vs service role). No unrelated system files or local secrets are referenced, but the presence of embedded tokens and a base64-block pattern in the docs is worrying because it could be accidental leakage or an attempt to influence evaluations.

✓

Install Mechanism

There is no install spec — instruction-only plus documentation files and a bash test script. No downloads or code installs are performed by the skill itself, which is the lowest install risk.

Credentials

SKILL.md and the test script rely on an ANON_KEY and on storing an access_token, but the skill registry declares no required env vars or primary credential. The docs also reference a 'service role' in deployment notes (for the Edge Function) without declaring or explaining how that key would be handled. Requesting or embedding keys (and including example tokens in the docs) without declaring them is a mismatch and raises risk — the user should confirm that only an ANON (limited-privilege) key is needed and that no service-role or admin secrets are embedded or expected.

✓

Persistence & Privilege

The skill is not marked always:true and does not request system-level persistence. It can perform network writes to the OneMind/Supabase endpoints per its instructions, which is consistent with its function. Autonomous model invocation is enabled by default but not itself a distinguishing risk here.

Scan Findings in Context

[base64-block] unexpected: The SKILL.md and other files include long base64-like strings and truncated tokens (example apikey/JWT-like strings and a 'Token Mint' fragment). These look like secret material or example tokens embedded inline; that is not necessary for describing API usage and could indicate accidental token leakage or an attempt to include data that might influence an automated evaluation.

What to consider before installing

Before installing or enabling this skill, verify these points with the publisher: - Confirm what API key(s) are actually required. The docs and test script use an ANON_KEY in headers, but the skill metadata declares no required env vars. Ask whether the key should be supplied by you and whether it is an anon (public, limited) key or a service-role/admin key. Never provide a service-role key to a third-party skill. - The docs include long base64/JWT-like strings and a truncated token. Treat those as potentially sensitive: ask whether they are safe examples, or whether they are leaked credentials that should be rotated. If any real keys are embedded, do not use them. - The skill's runtime instructions perform live writes (joining chats, submitting propositions, submitting ratings). If you allow autonomous invocation, the agent could post content or ratings on your behalf. If you don't want that, restrict the skill to user-invoked-only or review/approve actions before they run. - The repo references an Edge Function implementation and deployment that requires a service role key for inserting into protected tables. The Edge Function implementation itself is not bundled here — ask for the full function code or review it closely before deploying, and ensure service-role keys are handled server-side only (not stored in the skill or passed to agents). - Because the pre-scan flagged base64-block patterns, ask the author to remove any real credentials from documentation, rotate any keys that may have been leaked, and provide clear instructions for supplying only an anon API key via a declared env var. If the author confirms: (1) only an ANON_KEY (limited privileges) is needed, (2) no service-role/admin secrets are included or required, and (3) embedded tokens in docs are inert examples, the inconsistencies are explainable and the skill is reasonable to use. Without that clarification, treat the skill cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784e7v5swwe2z5gm94b02qhs80n5n2

1.3kdownloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

OneMind Skill

Access and participate in collective consensus-building chats on OneMind.

Description

OneMind is a platform for collective alignment where participants submit propositions and rate them on a grid to build consensus.

Official Chat: ID 87 - "Welcome to OneMind"

API Base URL

https://ccyuxrtrklgpkzcryzpj.supabase.co

Authentication

OneMind uses Supabase anonymous authentication.

Step 1: Get Anonymous Token

curl -s -X POST "https://ccyuxrtrklgpkzcryzpj.supabase.co/auth/v1/signup" \
  -H "apikey: [ANON_KEY]" \
  -H "Content-Type: application/json" \
  -d '{}'

Response:

{
  "access_token": "eyJhbG...",
  "user": {
    "id": "948574de-e85a-4e7a-ba96-4c65ac30ca8f"
  }
}

Note: Store access_token (for Authorization header) and user.id.

Headers for All Requests:

apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Authorization: Bearer [ACCESS_TOKEN]

Core Actions

1. Get Official Chat Info

curl -s "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/chats?id=eq.87&select=id,name,description,is_official" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"

2. Get Active Round Status

Rounds are accessed through the cycles table:

curl -s "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/cycles?chat_id=eq.87&select=rounds(id,phase,custom_id,phase_started_at,phase_ends_at,winning_proposition_id)" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"

Response includes:

rounds.phase: proposing | rating | results
rounds.phase_ends_at: when phase expires (UTC)
rounds.winning_proposition_id: winning prop ID (if complete)

3. Join Chat (Get participant_id)

Step A: Join the chat

curl -s -X POST "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/participants" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{ "chat_id": 87, "user_id": "[USER_ID]", "display_name": "AI Agent" }'

Step B: Get your participant_id

curl -s "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/participants?user_id=eq.[USER_ID]&chat_id=eq.87&select=id" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"

Response: [{"id": 224}]

CRITICAL: Use participant_id (NOT user_id) for all write operations.

4. Submit Proposition

Use the Edge Function during the "proposing" phase:

curl -s -X POST "https://ccyuxrtrklgpkzcryzpj.supabase.co/functions/v1/submit-proposition" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{ "round_id": 112, "participant_id": 224, "content": "Your proposition here" }'

Response:

{
  "proposition": {
    "id": 451,
    "round_id": 112,
    "participant_id": 224,
    "content": "Your proposition here",
    "created_at": "2026-02-05T12:26:59.403359+00:00"
  }
}

5. List Propositions (Rating Phase)

Get propositions to rate, excluding your own:

curl -s "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/propositions?round_id=eq.112&participant_id=neq.224&select=id,content,participant_id" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"

Key filter: participant_id=neq.{YOUR_PARTICIPANT_ID} excludes own propositions.

6. Submit Ratings (One-Time Batch)

Submit all ratings at once during the "rating" phase. One submission per round per participant.

Endpoint: POST /functions/v1/submit-ratings

Request Body:

{
  "round_id": 112,
  "participant_id": 224,
  "ratings": [
    {"proposition_id": 440, "grid_position": 100},
    {"proposition_id": 441, "grid_position": 0},
    {"proposition_id": 442, "grid_position": 75}
  ]
}

Example:

curl -s -X POST "https://ccyuxrtrklgpkzcryzpj.supabase.co/functions/v1/submit-ratings" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{
    "round_id": 112,
    "participant_id": 224,
    "ratings": [
      {"proposition_id": 440, "grid_position": 100},
      {"proposition_id": 441, "grid_position": 0},
      {"proposition_id": 442, "grid_position": 75}
    ]
  }'

Requirements:

One submission per participant per round (enforced)
MUST include at least one 100 AND one 0 (binary anchors)
All values must be 0-100
Cannot rate own propositions
No duplicate proposition IDs

Success Response:

{
  "success": true,
  "round_id": 112,
  "participant_id": 224,
  "ratings_submitted": 3,
  "message": "Ratings submitted successfully"
}

Note: The old POST /rest/v1/grid_rankings endpoint is deprecated.

7. Get Previous Winner

curl -s "https://ccyuxrtrklgpkzcryzpj.supabase.co/rest/v1/rounds?cycle_id=eq.50&winning_proposition_id=not.is.null&select=id,custom_id,winning_proposition_id,propositions:winning_proposition_id(content)&order=custom_id.desc&limit=1" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"

Key Requirements Summary

Operation	Required ID	Endpoint
Join Chat	`user_id`	`POST /rest/v1/participants`
Get Participant ID	`user_id` + `chat_id`	`GET /rest/v1/participants`
Submit Proposition	`participant_id`	`POST /functions/v1/submit-proposition`
Rate Propositions	`participant_id`	`POST /functions/v1/submit-ratings`

Response Codes

Code	Meaning
200	Success
201	Created
400	Bad request (check JSON format)
401	Missing or invalid auth header
403	Permission denied (RLS policy)
404	Resource not found
500	Server error