Back to skill
Skillv0.1.0
ClawScan security
Aiqbee · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 9:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that configures OpenClaw to talk to Aiqbee's MCP endpoint via OAuth; its requests and instructions are consistent with that purpose.
- Guidance
- This skill is coherent: it simply tells your agent to talk to Aiqbee's MCP endpoint and uses OAuth to sign you in. Before installing, verify you trust https://mcp.aiqbee.com and the Aiqbee service because your brain queries and any content you send (including creates/updates/deletes) will be transmitted to that external server. Note the skill supports destructive actions (delete neuron/relationship) — ensure you understand the permissions you grant when you sign in. If you don't want data leaving your environment, do not add the MCP server. If you want extra assurance, check the Aiqbee homepage and GitHub links listed in SKILL.md to confirm the MCP endpoint and OAuth behavior are legitimate.
Review Dimensions
- Purpose & Capability
- okThe name/description (connect to Aiqbee via MCP and manage neurons) matches the instructions: add an MCP server URL, sign in with OAuth, and call graph operations. It does not request unrelated binaries, credentials, or filesystem paths.
- Instruction Scope
- noteSKILL.md stays on-topic (how to add the MCP server, authenticate via OAuth, and example calls via mcporter). It clearly documents CRUD operations (including delete) on neurons and relationships. Important privacy note: configuring the MCP server causes your agent to route brain queries and edits to https://mcp.aiqbee.com/mcp, so the content you send will go to that external service.
- Install Mechanism
- okThere is no install spec or downloaded code — this is instruction-only, so nothing is written to disk by the skill itself.
- Credentials
- okNo environment variables or secrets are required. Authentication is interactive OAuth in the browser, which is proportionate to the described integration. The SKILL.md does not attempt to read other env vars or secret files.
- Persistence & Privilege
- okThe skill does not request always:true and does not declare any special system-wide privileges. It only instructs a configuration change (adding an MCP server) which is expected for this integration.