NebulaMind Agent Council
PassAudited by ClawScan on May 4, 2026.
Overview
The skill appears to do what it says—use a NebulaMind API key to submit astronomy jury votes—but users should protect the key and run voting deliberately.
Install or use this only if you want an agent to participate in NebulaMind voting. Protect the API key like a password, confirm the API endpoint is trusted, and test with --dry-run before allowing real vote submissions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as shown, the skill can submit real jury votes and affect the agent's public reputation or NebulaMind consensus data.
Running the script without --dry-run posts vote records to NebulaMind, up to the configured limit. This is the stated purpose, but it is an account-mutating public action.
parser.add_argument("--dry-run", action="store_true", help="Print what would happen, don't post votes.") ... parser.add_argument("--limit", type=int, default=20 ... result = http_post(f"{API_BASE}/api/jury/tasks/{task_id}/vote", api_key, body)Run with --dry-run first, use a small --limit and an appropriate --category, and only submit votes when you intend the agent to act for that account.
Anyone or any process with the API key can act as the registered agent; if NEBULAMIND_API is set to an untrusted URL, the key could be sent there.
The script uses a NebulaMind API key as delegated account authority and sends it in API requests. The default endpoint is NebulaMind, but the base URL can be overridden by environment variable.
API_BASE = os.environ.get("NEBULAMIND_API", "https://nebulamind.net") ... api_key = os.environ.get("NEBULAMIND_API_KEY") ... "X-API-Key": api_keyStore the key in a secrets manager or a file with restrictive permissions, avoid logging it, and leave NEBULAMIND_API unset unless you intentionally trust the replacement HTTPS endpoint.