Skillv1.0.0

ClawScan security

MidOS MCP — Knowledge OS for AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 10:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (a knowledge OS) is plausible, but the SKILL.md advertises file and shell execution tools and an external API without declaring any authentication or required credentials — this mismatch warrants caution.
Guidance: This skill appears to be a remote Knowledge OS and many usages are reasonable (search, memory, planning). But before installing: 1) Ask the publisher how authentication works — why are no API keys or tokens declared? Confirm whether midos.dev requires an API key, and how credentials are transmitted and stored. 2) Clarify what maker_run_bash / maker_read_file / maker_write_file actually do and where they execute (on your machine, on MidOS servers, or on third-party workers). If they can run local shell or read local files, do not enable autonomous invocation and restrict the skill to manual use only. 3) Prefer self-hosting (they provide a repo) if you will send sensitive data. 4) Avoid providing webhook/Discord tokens to the skill until you understand where notifications originate. 5) If you must use the hosted service, limit the agent’s permissions, monitor network calls, and review privacy/terms for data retention and sharing.

Review Dimensions

Purpose & Capability: concernThe skill describes a Knowledge OS and search/memory/plan tools which fit its name, but it also advertises 'Execution' tools (maker_run_bash, maker_read_file, maker_write_file, git, HTTP fetch). Those capabilities are powerful and potentially outside a pure "knowledge search" role; the SKILL.md does not explain where those executions run (remote service vs local agent) nor why no credentials are required to access them. Requiring remote execution/file-op capabilities without clarifying scope or auth is disproportionate to the plain knowledge-search description.
Instruction Scope: noteThe instructions focus on JSON-RPC calls to https://midos.dev/mcp and provide examples for search, memory, and plan operations which are in-scope. However the doc also includes heartbeat guidance and references execution and notifier tools; the instructions do not show any authentication, nor do they limit or clarify usage of file/shell execution tools. That ambiguity could allow broad actions if the agent or service interprets tool names as able to run arbitrary commands or access files.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. No downloads or packages are pulled by the skill itself.
Credentials: concernThe skill declares no required environment variables or primary credential even though it points at a remote API (midos.dev) and lists webhook/Discord notifiers and execution tools that normally need authentication or tokens. The absence of declared credentials is inconsistent with expected needs for a remote platform that can perform actions or notify external services.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent platform privileges. Note: autonomous invocation (model-invocation enabled by default) is allowed — combined with the execution toolset this raises the blast radius if you enable the skill to act autonomously, but autonomous invocation itself is the platform default.