Leafengines Clawhub Skill
v1.1.0Provides TurboQuant-optimized agricultural data and tools for soil analysis, weather forecasts, crop recommendations, pest detection, yield prediction, and e...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name, description, SKILL.md, API reference, and install script all consistently describe an agricultural intelligence MCP server backed by a Supabase function endpoint. One mismatch: the SKILL.md's embedded metadata declares required binaries ['node','npm'], but the registry metadata and the install script do not actually require or use node/npm. This is likely an authoring error but is worth verifying.
Instruction Scope
SKILL.md and references only instruct the agent/user to configure an MCP server URL and x-api-key, and to call well-scoped endpoints (soil-analysis, weather-forecast, etc.). The runtime instructions and API reference do not direct the agent to read unrelated local files or environment secrets.
Install Mechanism
There is no packaged installer — the skill is instruction-first, but an included scripts/install.sh creates ~/.openclaw/config/config.yaml and an API_KEY_INSTRUCTIONS.md and performs a simple health check. The install script performs benign filesystem writes in the user's home directory and a network health check. This is expected for an MCP server config, but you should inspect the script before running and confirm the Supabase URL.
Credentials
The skill does not request environment variables or other credentials from the agent; it requires the user to provide an x-api-key for the external API. There are no unrelated credential requests or broad secret access in the files. The API key flow (requesting via a GitHub Issues template) is unconventional but not inherently disproportionate.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges. The install script writes its own OpenClaw config under the user's home directory (expected behavior for adding an MCP server) and does not modify other skills' configurations or system-wide settings.
Assessment
This skill looks internally consistent for adding an agricultural MCP server, but take these precautions before installing:
- Verify provenance: the homepage/source are not authoritative in the registry metadata. Visit the GitHub repo listed (https://github.com/QWarranto/leafengines-claude-mcp) and confirm the owner, recent commits, and issues before trusting an API key or running the installer.
- Inspect the install script before running: scripts/install.sh writes to ~/.openclaw/config/config.yaml and performs a network health check—make sure you are comfortable with those changes.
- Confirm the external endpoint: calls go to a Supabase subdomain (https://wzgnxkoeqzvueypwzvyn.supabase.co). If you need to send any sensitive or proprietary farm data, verify the service's privacy/policy and SSL certificate ownership.
- Node/npm mismatch: SKILL.md metadata claims node/npm are required but they are not used by the install script. If you see further instructions that rely on node/npm, validate that before installing additional tooling.
- API key handling: the project instructs you to request an API key via a GitHub issue template — be cautious about sharing contact info or sensitive details in that process. Only paste the API key into the local OpenClaw config if you trust the provider.
If you want higher confidence, ask the publisher for an authoritative homepage, review the GitHub repo code and issues, and test the health endpoint from a disposable environment before adding it to your main OpenClaw configuration.Like a lobster shell, security has layers — review code before you run it.
latestvk977hze31h5yxw9es9hdcqpm6d83yyg1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.