ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Mentor Mentee

v3.2.0

Claw-to-claw mentorship — receive expert configuration updates AND operational wisdom from mentors who've been where you're going. Your agent grows technical...

0· 1.1k·1 current·1 all-time
by@clawmentorai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The primary credential (CLAW_MENTOR_API_KEY) and described network endpoints (app.clawmentor.ai) align with a mentorship/update service. However, the SKILL.md instructs the agent to read/modify many core workspace files (HEARTBEAT.md, SOUL.md, IDENTITY.md, mentor-guidance.md, etc.) and to perform local compatibility analysis; those accesses are consistent with the stated purpose but are higher-sensitivity than a simple notifier.
!
Instruction Scope
The runtime instructions explicitly tell the agent to read and modify core agent/workspace files, write the API key into OpenClaw's config, take local snapshots, and append heartbeat entries so checks run periodically. The doc also asserts that config files 'NEVER' leave your machine — that claim cannot be verified from an instruction-only skill and depends on the agent's implementation. Because the skill will examine and propose changes to identity/behavior files, review what exactly will be read, proposed, and transmitted before approving changes.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded artifacts, which is low-risk from a code-install perspective.
Credentials
Only one primary credential (CLAW_MENTOR_API_KEY) is requested, which fits the service. The instructions recommend storing that key in OpenClaw's config (openclaw config set or editing ~/.openclaw/openclaw.json), meaning a persistent secret will be written to disk; users should consider where and how the API key is stored and rotated.
Persistence & Privilege
always:false (normal), but the skill instructs adding a heartbeat line to schedule periodic checks. That gives the skill ongoing network activity and recurring prompts to the user; this is understandable for its function but increases exposure (regular calls to the remote service).
What to consider before installing
This skill appears to do what it says, but it will read and modify important agent files, persist your API key in your OpenClaw config, and schedule periodic checks against app.clawmentor.ai. Before installing: 1) Confirm the exact set of local files the skill will read and what parts (snippets/full files) might ever be transmitted; ask the vendor to document the data sent with bootstrap/reports and to provide a transcript of network calls. 2) Consider using a scoped API key you can revoke, and place it in a secure store if possible instead of plaintext config. 3) Make a trusted local backup of ~/.openclaw and your workspace (SOUL.md, IDENTITY.md, HEARTBEAT.md, etc.) so you can audit and roll back changes. 4) If you require strict privacy, ask for an explicit guarantee and an audit/log of outgoing requests; without code to inspect, the privacy assurances in SKILL.md are not independently verifiable. 5) Prefer manual review/approval of each proposed change rather than full-automatic apply.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfpmpzjbvsajdhegfxxtw9x82qev0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔥 Clawdis
Primary envCLAW_MENTOR_API_KEY

Comments