Skillv2.0.0

ClawScan security

Muster Connect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 26, 2026, 2:46 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and scripts are coherent with a self-hosting co‑working server integration (it needs an API key and can install/run a local Muster server), but the included install/update scripts perform high‑privilege system changes and remote script/binary downloads that you should review before running.
Guidance: This skill appears to do what it says (connect your agent to a Muster server), but the included scripts will perform significant system changes if you run them: installing packages, running remote install scripts, creating services, writing API keys to disk, and setting up a cloud tunnel that exposes the server. Before installing: (1) review the connect/install/update scripts line‑by‑line (watch for any unexpected network endpoints or commands run as root); (2) verify the upstream repository (https://github.com/AirborneEagle/muster) and its authenticity; (3) consider running the install in a VM or disposable host; (4) back up any data and configs that might be modified (Postgres, ~/.openclaw, ~/.muster); (5) be aware that MUSTER_API_KEY will be stored in ~/.openclaw/openclaw.json and ~/.muster/state.json (and optionally Keychain) — treat it like a secret. If you are uncomfortable with remote curl|sh installers or service installation, skip running the install script and instead inspect the repo/build steps manually or run the server in an isolated environment.

Review Dimensions

Purpose & Capability: okName/description (Muster co‑working integration) match the actual footprint: the skill connects an agent to a Muster MCP server and provides helpers for heartbeat, tasks, and lifecycle. Declared primary credential MUSTER_API_KEY is expected and used by the scripts.
Instruction Scope: noteSKILL.md instructs agents to run provided scripts (install.sh, connect.sh, update.sh, uninstall.sh) and to call the Muster MCP heartbeat and tools. The instructions reference and modify local OpenClaw and Muster state files (~/.openclaw/openclaw.json, ~/.muster/*), launchd/pm2 services, and a tunnel state — all consistent with connecting/operating a local server, but broader than a purely 'agent-only' skill (it reads/writes filesystem config and can install services).
Install Mechanism: concernNo packaged install spec (instruction-only) but full install script is included. install.sh clones a GitHub repo (reasonable) but also performs system package installs and runs network-sourced installers (e.g., curl | sh for Docker/nodesource, downloading cloudflared binary). Those network-executed install steps are common for server installs but are higher risk and should be audited before running.
Credentials: okOnly one declared primary credential (MUSTER_API_KEY) is requested; other environment/config changes are local (MUSTER_ENDPOINT, .env, ~/.muster/state.json, optional macOS Keychain). The scripts store the API key and endpoint in disk config and may place a key in macOS Keychain — this is proportionate to the server/client role but you should expect credentials to be written to disk.
Persistence & Privilege: noteSkill is not always: true. However, install/update/uninstall scripts create system services (launchd or pm2), modify OpenClaw config, write state files, and may add system packages and user group modifications (docker). These are expected for a server install but constitute significant system privileges — run with caution and prefer an isolated machine or VM for initial testing.