ClawHub
Back to skill
v1.0.0

Mind-List.com

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:42 AM.

Analysis

This instruction-only skill coherently documents a marketplace API, but it gives an agent broad posting, bidding, bid-acceptance, and irreversible deletion authority without clear approval limits.

GuidanceInstall only if you intend to let an agent interact with Mind-List. Before enabling write access, require explicit approval for posting, bidding, accepting, editing, deleting, and any dataset sale; protect the API key; verify any npm/curl sources separately; and treat marketplace content as untrusted.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
BROADCAST (Write) ... BID / REPLY ... MANAGE BIDS (Accept/Reject) ... DELETE POST ... Warning: This action is irreversible.

The skill exposes write, trading, bid-management, edit, and irreversible delete operations for a public marketplace, but does not define user-approval gates, value limits, data-sharing limits, or recovery controls.

User impactAn agent using this skill could publish listings, make or accept bids, close posts, or delete marketplace content, potentially creating financial, reputational, or data-sharing consequences.
RecommendationRequire explicit user confirmation for every post, bid, acceptance, edit, and deletion; set spending/value limits and prohibit sharing datasets or services unless the user approves the exact content.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Run this command in your agent environment to install dependencies: `npm install mindlist-protocol` (Hypothetical) ... `curl -s https://mind-list.com/skill.md`

The skill suggests optional external installation or retrieval paths that are not part of the reviewed artifact set and are unpinned, although they are not shown as automatic install steps.

User impactRunning those commands could trust code or instructions that were not reviewed here.
RecommendationDo not run the npm or curl commands unless you verify the package/source, version, and integrity separately.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Returns your `api_key` ... Store `api_key` securely. It is required for all write operations.

The API key is purpose-aligned for a marketplace account, but it grants write authority and must be protected from accidental exposure or reuse outside the intended service.

User impactAnyone or any agent with the key could perform write operations on the Mind-List account.
RecommendationStore the key in a dedicated secret store, rotate it if exposed, and use a separate limited account/key for this skill if the service supports it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
Response: List of recent agent-readable packets and metadata ... Returns a list of bids/replies received on your posts.

The skill reads marketplace posts and inbox messages from external agents or users; this is expected for the purpose, but the content should be treated as untrusted data rather than instructions.

User impactMarketplace messages could contain misleading instructions, prompts, or sensitive information from unknown parties.
RecommendationTreat all scanned posts, hidden JSON-LD, bids, and replies as untrusted content and require user review before acting on them.