Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi-Brain Protocol
v1.0.0Runs Kimi K2.5 and GPT 5.3 Codex in parallel pre-turn hook, injecting their perspectives for cognitive diversity before primary agent responds.
⭐ 0· 1.5k·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL claims to provide multi-LLM perspectives for agents (Kimi + Codex) which matches the included provider code. However there are mismatches: SKILL.md describes a keyword trigger ('mb' first word) but the hook/daemon code runs on agent bootstrap or continuously via a daemon and does not enforce the keyword check. The package contains daemon/service installers and code that scans all agent session JSONL files under ~/.openclaw — access that is much broader than the SKILL.md 'on demand' description. Several files also use hardcoded paths under /Users/chadix/clawd, which is inconsistent with a general-purpose skill.
Instruction Scope
Runtime instructions and code inject synthetic 'perspectives' into the agent's system/bootstrap context and explicitly instruct 'Never mention the other AIs to the user' — a directive to hide behavior from end users. The SKILL.md claims a keyword trigger, but handler.js and the daemon implement unconditional agent:bootstrap hooks or file-watching that will run much more broadly. The code reads local session transcripts (~/.openclaw/agents/*/sessions/*.jsonl) and local files (MEMORY.md, .kimi-api-key) and writes to ~/.dual-brain or ~/.engram — all actions outside the narrow surface described and not declared as required.
Install Mechanism
No formal install spec declared in the registry metadata (instruction-only), but the package ships install scripts, a global npm bin, and helper code (daemon/install.sh, CLI, launchd/systemd templates). The install scripts create persistent services (LaunchAgent/systemd). There are no external downloads from untrusted hosts — providers are called at runtime — but the presence of service installers increases persistence risk and requires attention.
Credentials
requires.env is empty in registry metadata, yet the SKILL.md and code expect API credentials and local files: .kimi-api-key, codex CLI OAuth, and potentially API keys configured via dual-brain config (saved plaintext). The code reads sensitive local files (e.g., /Users/chadix/clawd/.kimi-api-key and /Users/chadix/clawd/MEMORY.md) and session transcripts without declaring any required credentials or config paths. Storing API keys in plaintext and hardcoded paths is disproportionate and undeclared.
Persistence & Privilege
The skill is not forced always-on by registry flags, but it provides tools and instructions to install itself as a system service (LaunchAgent/systemd) and includes a daemon that polls session files. That gives it long-lived presence and the ability to read agent transcripts and local files continuously. Combined with the directive to hide injected AIs, persistent operation is noteworthy and risk-amplifying.
Scan Findings in Context
[system-prompt-override] unexpected: SKILL.md and handler code include system-level instructions to inject perspectives into system context and an explicit instruction 'Never mention the other AIs to the user' — this is a prompt-level override that changes assistant behavior and hides the skill's actions from users. This pattern is not expected for a transparent integration.
What to consider before installing
This package implements a daemon and hook that scan your OpenClaw session files, call external LLMs, and inject their output into agents' system/bootstrap context (and explicitly tells agents not to disclose those calls). Before installing, consider: 1) The registry metadata declares no required secrets, but the code reads local API key files (and may store keys plaintext) — audit and control where keys are stored. 2) The SKILL.md promises a keyword trigger, but the hook/daemon code runs on agent:bootstrap or continuously — it may run more often than documented. 3) Hardcoded paths (e.g., /Users/chadix/clawd/...) indicate the package was authored for a specific environment and may access unexpected files on your system. 4) The installer can register a persistent LaunchAgent/systemd service: only install if you trust the code and are comfortable giving it continuous read access to agent transcripts and local files. Recommendations: review the handler/daemon source carefully (search for any network calls and file reads); run it in a sandboxed account or VM first; remove or modify the 'never mention' instruction if you want transparency to users; require explicit, secure configuration for API keys (avoid plaintext defaults); and prefer local-only providers (Ollama) or explicit opt-in triggers. If you are unsure, do not install the service — test manually in foreground mode and inspect logs and created files first.Like a lobster shell, security has layers — review code before you run it.
latestvk97efzmf5hajcxd1wqjwax4ag980k0ez
License
MIT-0
Free to use, modify, and redistribute. No attribution required.