Aegean OpenClaw Claude Code

The skill largely does what it says (control Claude Code via MCP), but there are multiple mismatches and risky behaviors—most notably it forwards the running process environment to spawned MCP servers (possible secret leakage), exposes options to override system prompts and bypass permissions, and the packaging/install story is inconsistent—so proceed with caution.

This skill implements a CLI that can run arbitrary MCP tools (bash, read, write, etc.) and spawn helper servers. Before installing or running it: 1) Review and sanitize your environment: do not run the CLI in an environment that contains secrets you don't want forwarded (API keys, cloud creds, OpenClaw tokens). The code forwards process.env to subprocesses—this is the principal risk. 2) Inspect and control mcp_config.json: do not enable remote/back-end servers or provide tokens for GitHub/Slack unless you trust them. 3) Avoid using permission modes like 'bypassPermissions' or untrusted --base-url endpoints; prefer 'plan' or 'default' and keep the backend on localhost. 4) Because the registry metadata lists no install step, be cautious when building/running: run npm install in an isolated environment, inspect package.json and actual dependencies (the source imports libraries not listed in package.json). 5) If you need to use this skill in production, ask the author to (a) explicitly declare required env vars, (b) stop forwarding the entire process.env to child processes (only pass minimal required env), and (c) provide clear security guidance and hardened defaults (disable bypassPermissions, restrict default mcp_config paths). Additional information that would raise confidence to 'benign': explicit documentation that secrets are not forwarded, or code changes to whitelist/limit forwarded env vars and to validate/require explicit user consent before enabling remote endpoints or bypassing permissions.