MYR
ReviewAudited by ClawScan on May 10, 2026.
Overview
MYR appears purpose-aligned, but its recommended setup runs unreviewed remote code and can create a persistent peer-sync service, so it should be reviewed before installation.
Before installing, review the GitHub install script and repository, avoid running the curl-to-bash command blindly, and decide whether you really need the persistent HTTP peer-sync server. If you use peer sync, keep it on a trusted network, verify peer identities, and review imported reports before letting them influence future agent memory or decisions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing through this path gives unreviewed remote code the ability to run on the user's machine and create local configuration and keys.
The recommended installation executes a remote script from the GitHub main branch without a pinned commit, checksum, or reviewed install spec. The artifact says this script clones the repo, installs dependencies, generates keys, runs tests, and modifies the shell environment.
curl -fsSL https://raw.githubusercontent.com/JordanGreenhall/myr-system/main/install.sh | bash
Inspect the install script and repository first, prefer a pinned commit or release, avoid piping directly to bash, and run the installer in a controlled environment.
The MYR server may continue running and accepting peer-sync traffic after the original task is finished.
The documented launchd configuration keeps the MYR HTTP server running automatically after login and restarts it if it exits. This is disclosed and purpose-aligned for live sync, but it is persistent background behavior.
<key>RunAtLoad</key> <true/> ... <key>KeepAlive</key> <true/>
Only enable the service if live sync is needed, restrict network exposure, and keep clear stop/unload instructions available.
Reports may be shared with or received from configured peers, and peer-originated content could influence future analysis if imported or synthesized.
The skill is designed to exchange MYR reports with remote peers through an HTTP server. This is core to the stated purpose, but it creates data-boundary and peer-trust considerations.
Peers sync automatically on a schedule — no manual package exchange required.
Use trusted networks such as the documented Tailscale/VPN option, verify peer keys, avoid public exposure unless necessary, and review what reports are marked shareable.
Imported peer reports could be reused across future tasks and shape later agent behavior or conclusions.
The skill contemplates persistent agent memory and auto-approval for verified peers. This is aligned with the MYR knowledge-compounding purpose, but signed or verified content can still be incorrect or adversarial.
integrating MYR with an agent memory system, or (11) configuring auto-approval for verified peers
Keep human review for new peers or high-impact reports, distinguish peer-provided content from trusted instructions, and avoid treating signatures as proof of content safety.
If the private key is exposed, another party may be able to impersonate the user's MYR node or sign reports as that node.
The system creates a node identity and signing keypair. This credential-like material is expected for signed MYR reports, but it needs protection.
myr-keygen generates your keypair and writes node_uuid to config.json automatically.
Store generated keys securely, back them up carefully, and rotate or regenerate them if the machine or repository directory is compromised.