Maven Smart System Ai (palantir integration)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent but high-risk because it stores an MSS API key and can change targeting or strike workflow state.
Do not install this unless you are authorized to operate the referenced MSS environment and can verify the publisher. If used, configure only the legitimate endpoint, use least-privileged credentials, keep the .env file protected, and require independent human approval before any status change or asset assignment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a real MSS account, a mistaken or unintended tool call could alter operational targeting state or create/advance a strike mission.
The skill exposes tools that can mutate a tactical system, including assigning strike assets and moving target workflow status.
assign_strike_asset ... "Assigns a specific military asset to a target for a strike mission." ... update_kanban_status ... "Moves a target card to the specified stage on the MSS Kanban board."
Use only with explicit authorization, least-privileged credentials, and an external human approval process. Prefer read-only tokens unless mutation is intentionally required.
A stored MSS API key could grant continuing access to sensitive or high-impact MSS operations from this skill environment.
The setup script writes the MSS API key and endpoint to a local .env file, even though registry metadata declares no primary credential or required env vars.
lines.append(f"MSS_API_KEY={api_key}\n")
lines.append(f"MSS_API_ENDPOINT={endpoint}\n")
with open(env_path, "w") as f:Verify the publisher and endpoint before entering any key, use a narrowly scoped or read-only token where possible, and protect or remove the .env file when not needed.
Users have less basis to trust that this is an official or reviewed integration for such a sensitive system.
The artifact provenance is not established by the registry metadata. This matters more because the skill claims integration with a high-impact Palantir/MSS environment.
Source: unknown Homepage: none
Install only after independently verifying the publisher, code, endpoint, and dependency environment.