Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Leafengines Clawhub Skill
v1.1.0LeafEngines MCP Server - Agricultural Intelligence API for Claude and OpenClaw. Provides 9 tools for soil analysis, weather forecasting, crop recommendations...
⭐ 0· 79·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md tools list, and API reference are coherent for an agricultural intelligence MCP server. However the SKILL.md metadata declares required binaries (node, npm) while the included install script only checks for curl and the registry metadata at the top lists no required binaries — this is an inconsistency between claimed runtime needs and the actual installer.
Instruction Scope
Runtime instructions only direct the agent/user to configure an MCP server URL and include an x-api-key header for calls to a single Supabase-hosted endpoint. The install.sh writes a config file into ~/.openclaw/config/config.yaml (expected for an OpenClaw skill). The instructions for obtaining the API key (open a GitHub issue) are unusual because they risk exposing credentials if users paste secrets in a public issue.
Install Mechanism
There is no automated install spec; the repo includes a local scripts/install.sh that performs only local operations (checks curl, creates ~/.openclaw/config, writes an instructions file, tests a health endpoint). The script does not download or execute remote code or extract archives from arbitrary URLs.
Credentials
The skill does not declare required environment variables, but it requires an x-api-key for the external MCP endpoint — that's expected. The concern is the suggested API key onboarding (opening a GitHub issue) which could result in accidental public disclosure of keys. Also, the declared node/npm requirement in SKILL.md metadata is not justified by the included files, another mismatch that should be clarified.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It does write/modify a per-user OpenClaw config file (~/.openclaw/config/config.yaml), which is reasonable for a client MCP integration but should be reviewed by the user before running.
What to consider before installing
This skill appears to implement an agricultural MCP server integration, but there are a few red flags to review before installing or using it: 1) Clarify why SKILL.md lists node/npm as required while the install script only uses curl — don't run things that need tools you don't trust. 2) Be careful with API key onboarding: the instructions tell you to request a key via a GitHub issue — do not paste any secret keys or private data into public issues. Ask the maintainer how keys are delivered (prefer private email or a secure dashboard). 3) Verify the supabase endpoint owner and the GitHub repository (https://github.com/QWarranto/leafengines-claude-mcp) to confirm legitimacy. 4) Inspect the install script content and back up your existing ~/.openclaw/config before running it; consider manually adding the mcpServers block to your config rather than running scripts. 5) If you need higher assurance, request an official homepage, public release notes, or an explanation of the TurboQuant claims and node/npm requirement — that additional info would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk977hzr1j9ge8zj622pbxf62fh83zza8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.