ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LLM-WikiMind MCP Setup

v1.0.0

Install and configure the LLM-WikiMind MCP server — a local knowledge base built on Karpathy's LLM Wiki pattern. Triggers: install wikimind, setup knowledge...

0· 36·0 current·0 all-time
by@hal-9909
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (LLM-WikiMind MCP server) aligns with the required binaries (python3, git) and the runtime actions (git clone, start a Python server). However the SKILL.md uses pip3 but pip3 is not listed in required binaries, and it expects the WIKIMIND_ROOT environment variable in the registration examples even though requires.env is empty. Those omissions are inconsistent with the declared metadata.
Instruction Scope
Instructions are focused on installing, initializing, and running the local wiki and MCP server. They do instruct modifying user configuration files (append auto-start line to ~/.zshrc and editing client config like Claude's JSON) and starting a background watcher that auto-syncs. The instructions do not ask for secrets or for reading unrelated system files, but they do direct writes to user config files and create a persistent background process.
Install Mechanism
Installation is instruction-only: git clone from GitHub (expected) and pip3 install qmd (PyPI). These are common, but installing arbitrary PyPI packages and running code from a cloned repo can execute arbitrary code — the package 'qmd' and the repository contents should be reviewed before running. The optional npx clawhub@latest command (npm) is another package install to be reviewed if used.
!
Credentials
No credentials or sensitive env vars are requested, which fits a local-only wiki. However the SKILL.md expects WIKIMIND_ROOT to be set/provided when registering the MCP server, yet requires.env is empty. Also pip3 is used but not declared as a required binary. These are mismatches between declared requirements and the runtime instructions.
Persistence & Privilege
The skill does not force inclusion (always: false). Still, it recommends persistent changes: starting a background watcher, appending a command to ~/.zshrc for auto-start, and registering a local MCP server in client configs. Those are normal for a local service installer but are persistent and will run code on login/in the background until removed.
What to consider before installing
This skill appears to be a legitimate installer for a local knowledge-base MCP, but take a few precautions before proceeding: - Inspect the GitHub repo code (especially .wiki-mcp/server.py and the 'wikimind' scripts) before running them; cloned code runs locally and can do anything your user account can do. - Check the PyPI package 'qmd' (pip3 install qmd) before installing; consider using a Python virtualenv to avoid changing your global site-packages. - Ensure you have pip3 available (the SKILL.md uses pip3, but required binaries omit it); install pip3 or adapt commands accordingly. - Back up ~/.zshrc and any client config files (e.g., Claude config) before letting the installer append or edit them. - Be aware that the watcher starts a background process and the server will be reachable locally; if you care about network exposure, review the server binding/ports and use a firewall or x-local-only binding. - If you want stronger isolation, run the service under a dedicated user or inside a container. - Ask the publisher to update metadata to declare pip3 as a required binary and to mention WIKIMIND_ROOT as an expected env variable so the manifest matches the runtime instructions.

Like a lobster shell, security has layers — review code before you run it.

BM25vk97brx87tj04x0qdc1r1y4frxn84vcssMCPvk97brx87tj04x0qdc1r1y4frxn84vcsskarpathyvk97brx87tj04x0qdc1r1y4frxn84vcssknowledge-basevk97brx87tj04x0qdc1r1y4frxn84vcsslatestvk97brx87tj04x0qdc1r1y4frxn84vcssllm-wikivk97brx87tj04x0qdc1r1y4frxn84vcsslocal-firstvk97brx87tj04x0qdc1r1y4frxn84vcsssecond-brainvk97brx87tj04x0qdc1r1y4frxn84vcsssetupvk97brx87tj04x0qdc1r1y4frxn84vcsswikivk97brx87tj04x0qdc1r1y4frxn84vcss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, git

Comments