ClawHub

NORNR MCP Control

v0.1.6

Put policy before paid actions, require approval for risky autonomous actions, and keep a finance-ready audit trail.

0· 117·0 current·0 all-time
byNORNR@onechan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a thin CLI bridge into the NORNR Python SDK (agentpay) to perform preflight/approval flows; requiring a NORNR API key and the pinned SDK is coherent with that purpose. However registry-level metadata in the bundle lists no required env vars while SKILL.md and README declare NORNR_API_KEY as required—this mismatch should be corrected.
Instruction Scope
SKILL.md instructs running the small wrapper CLI and setting NORNR_API_KEY (and optionally NORNR_BASE_URL/NORNR_AGENT_ID). Instructions do not request unrelated files, system-wide secrets, or unexpected endpoints beyond the NORNR service specified.
Install Mechanism
Installation is via pip using a pinned PyPI package (nornr-agentpay==0.1.0) from requirements.txt. This is a standard mechanism but does fetch third-party code; review the pinned SDK release/source before installing.
Credentials
The skill requires a single service credential (NORNR_API_KEY) which is appropriate, but the suggested API scopes include powerful write permissions (payments:write, approvals:write). Those scopes are reasonable for a control plane that can trigger or approve payments, but you should issue a dedicated key with minimum necessary scopes.
Persistence & Privilege
always:false (not force-included) and model invocation is allowed (platform default). Because the skill can exercise approval/payment actions via the NORNR API, enabling autonomous invocation increases blast radius—consider restricting autonomous use or requiring operator approval in your environment.
Assessment
This bundle is a thin wrapper around the official NORNR SDK and appears to do what it says, but take these precautions before enabling in production: 1) Fix or confirm the metadata mismatch (registry says no env var but SKILL.md requires NORNR_API_KEY). 2) Review the pinned PyPI package (nornr-agentpay==0.1.0) source/release to ensure it matches the claimed repo. 3) Create a dedicated NORNR API key limited to the minimum scopes you need (avoid broad workspace/treasury admin keys). 4) Test in a non-production workspace to confirm queued/blocked states actually stop autonomous flows. 5) Consider disallowing autonomous invocation for this skill or require an operator step if you cannot tightly control the API key scope.

Like a lobster shell, security has layers — review code before you run it.

approvalsvk971ecevz5xxf8xeb50sbkpcv5837k0eauditvk971ecevz5xxf8xeb50sbkpcv5837k0efinancevk971ecevz5xxf8xeb50sbkpcv5837k0egovernancevk971ecevz5xxf8xeb50sbkpcv5837k0elatestvk970th74hw3n0z9v7jq85ssm8h83a2z4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments