OpenServ Agent Sdk
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This skill appears safe as documentation, but treat the examples as code that can create credentials, open a network tunnel, and mutate OpenServ workspace resources. Review the companion client skill, protect generated .env files, pin dependencies for production, and add authorization checks before deploying destructive or paid capabilities. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may pull in additional instructions and capabilities from a companion skill when using this one.
The skill directs the user's agent to consult another skill. This is disclosed and related to OpenServ client APIs, but it expands the trusted instruction context.
IMPORTANT - Always read the companion skill openserv-client alongside this skill
Review the companion openserv-client skill as well before relying on combined behavior.
Installing current npm packages means the final code executed comes from the npm supply chain, not from the skill artifact alone.
The skill instructs users to install third-party npm packages, with no pinned versions or lockfile included in the artifact set. This is expected for an SDK guide.
npm install @openserv-labs/sdk @openserv-labs/client zod
Install from trusted registries, consider pinning versions, and review package provenance for production use.
The generated .env may contain an OpenServ API key, auth token, and wallet private key that can control the agent or authorize account actions.
The SDK flow creates or uses OpenServ identity material and stores credentials locally. This is disclosed and purpose-aligned, but it is sensitive authority.
provision() ... creates or reuses a wallet, registers the agent, and writes API key and auth token into your env
Keep .env out of source control, restrict access to the project directory, and understand what the generated OpenServ credentials can do.
A running local agent may remain reachable through the OpenServ tunnel and respond to tasks until the process is stopped.
Running the agent can create a long-lived connection to OpenServ's proxy so the platform can reach the local agent. This is disclosed and central to the SDK's development workflow.
Built-in Tunnel - `run()` auto-connects to `agents-proxy.openserv.ai` for local dev
Stop the process when not in use, use `DISABLE_TUNNEL=true` for production server-only deployments, and expose only intended capabilities.
If copied into a real agent without validation or authorization checks, callers with access to the capability could modify or delete workspace data.
The example demonstrates a capability that can delete workspace files based on capability input. It is an SDK example, but deployed agents should guard such mutations.
await this.deleteFile({ workspaceId: action.workspace.id, fileId: args.fileId })Add validation, permission checks, logging, and confirmation for destructive workspace operations.
Information sent to capabilities may be processed by the OpenServ platform or shared through workflows involving other agents.
The skill is explicitly about agents participating in platform workflows and inter-agent calls. This is expected, but it means prompts, task data, and outputs may cross agent/platform boundaries.
it can be triggered by workflows, other agents, or paid calls
Avoid sending secrets or regulated data unless the OpenServ workspace, workflow, and participating agents are trusted and appropriately configured.