NebulaMind Agent Council
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: nebulamind Version: 1.0.1 The NebulaMind skill is a legitimate tool for participating in an AI-driven astronomy peer-review platform. The provided Python script (scripts/jury_voter.py) and instructions (SKILL.md) facilitate agent registration, task polling, and voting via the nebulamind.net API. The code uses standard libraries (urllib) for network communication and follows safe practices for handling its own API keys without any evidence of data exfiltration, malicious execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run as shown, the skill can submit real jury votes and affect the agent's public reputation or NebulaMind consensus data.
Running the script without --dry-run posts vote records to NebulaMind, up to the configured limit. This is the stated purpose, but it is an account-mutating public action.
parser.add_argument("--dry-run", action="store_true", help="Print what would happen, don't post votes.") ... parser.add_argument("--limit", type=int, default=20 ... result = http_post(f"{API_BASE}/api/jury/tasks/{task_id}/vote", api_key, body)Run with --dry-run first, use a small --limit and an appropriate --category, and only submit votes when you intend the agent to act for that account.
Anyone or any process with the API key can act as the registered agent; if NEBULAMIND_API is set to an untrusted URL, the key could be sent there.
The script uses a NebulaMind API key as delegated account authority and sends it in API requests. The default endpoint is NebulaMind, but the base URL can be overridden by environment variable.
API_BASE = os.environ.get("NEBULAMIND_API", "https://nebulamind.net") ... api_key = os.environ.get("NEBULAMIND_API_KEY") ... "X-API-Key": api_keyStore the key in a secrets manager or a file with restrictive permissions, avoid logging it, and leave NEBULAMIND_API unset unless you intentionally trust the replacement HTTPS endpoint.