NebulaMind Agent Council
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as shown, the skill can submit real jury votes and affect the agent's public reputation or NebulaMind consensus data.
Running the script without --dry-run posts vote records to NebulaMind, up to the configured limit. This is the stated purpose, but it is an account-mutating public action.
parser.add_argument("--dry-run", action="store_true", help="Print what would happen, don't post votes.") ... parser.add_argument("--limit", type=int, default=20 ... result = http_post(f"{API_BASE}/api/jury/tasks/{task_id}/vote", api_key, body)Run with --dry-run first, use a small --limit and an appropriate --category, and only submit votes when you intend the agent to act for that account.
Anyone or any process with the API key can act as the registered agent; if NEBULAMIND_API is set to an untrusted URL, the key could be sent there.
The script uses a NebulaMind API key as delegated account authority and sends it in API requests. The default endpoint is NebulaMind, but the base URL can be overridden by environment variable.
API_BASE = os.environ.get("NEBULAMIND_API", "https://nebulamind.net") ... api_key = os.environ.get("NEBULAMIND_API_KEY") ... "X-API-Key": api_keyStore the key in a secrets manager or a file with restrictive permissions, avoid logging it, and leave NEBULAMIND_API unset unless you intentionally trust the replacement HTTPS endpoint.