Comind
ReviewAudited by ClawScan on May 10, 2026.
Overview
Comind is a coherent CoMind integration, but it can use an API token to silently sync local workspace Markdown files and change CoMind tasks/documents on recurring heartbeats, so it needs review before use.
Install only if you intend this agent to act as a CoMind AI member. Use a dedicated workspace, keep secrets out of synced Markdown files, restrict the API token, verify the Gateway and COMIND_BASE_URL, and avoid enabling heartbeat/Cron sync until you understand exactly which files and CoMind objects it can update.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Local workspace Markdown files may be uploaded to or overwrite documents in CoMind during heartbeat sync.
The heartbeat workflow can turn local file changes into remote `update_document` or `create_document` calls, which is a high-impact mutation path without an explicit per-file confirmation step.
扫描目录中的 `.md` 文件 ... 通过外部 MCP API 更新文档 ... "content": "(从本地文件读取的最新内容)" ... 新文件 ... 通过 `create_document` 创建
Enable this only for a dedicated CoMind workspace, add allowlists/exclusions and dry-run or approval steps before create/update operations, and monitor CoMind audit logs.
Sensitive or incorrect information stored in local task files, CLAUDE.md, or indexed Markdown can be reused and propagated into CoMind documents and status panels.
The skill relies on persistent local workspace context and file indexes, then reuses that context for future synchronization and status/report generation.
CoMind 在 workspace 目录下自动维护以下文件 ... `tasks/TODO.md` ... `.comind-index` ... `CLAUDE.md` ... 文件索引(路径→ID/hash/version)
Keep secrets out of synced workspaces, restrict which directories are indexed, verify CLAUDE.md/.comind-index provenance, and define retention/exclusion rules.
The agent may continue performing status and sync work in the background if heartbeat scheduling is enabled.
The recurring behavior is disclosed and requires Cron/Gateway setup, but once configured it is designed to run silently on a schedule.
本任务不会自动执行 ... OpenClaw Cron Job(建议每 5-10 分钟触发) ... 本任务默认静默执行 ... 无异常时回复:`HEARTBEAT_OK`
Only configure heartbeat Cron jobs intentionally, choose a conservative frequency, and make sync activity visible through logs or notifications.
Anyone with the token can potentially act as the configured CoMind AI member within the token’s scope.
The helper script uses the CoMind API token as a bearer credential, which is expected for this integration but grants delegated account/workspace access.
parser.add_argument("--token", default=os.environ.get("COMIND_API_TOKEN", ""), help="API Token") ... "Authorization": f"Bearer {token}"Use a least-privilege token, store it securely, rotate it if exposed, and ensure `COMIND_BASE_URL` points only to a trusted CoMind instance.
A misconfigured or untrusted Gateway could expose the CoMind API token.
The documented WebSocket configuration flow can deliver the API token through the OpenClaw Gateway, so the Gateway becomes part of the credential boundary.
Gateway 发送事件请求配置 ... CoMind 响应 ... payload: { baseUrl: 'http://localhost:3000', apiToken: 'xxx' }Use this automatic configuration flow only with a trusted Gateway, protect the WebSocket channel, and prefer manual environment configuration where stronger secret handling is required.