Leafengines Clawhub Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed agricultural API/MCP integration, but users should understand that it uses a third-party API key and may send farm, location, and image data to a remote service.
Before installing, verify that you trust the LeafEngines provider and endpoint, review any helper script before running it, use a dedicated API key, check pricing/quota terms, and avoid sending sensitive farm, photo, location, or budget data unless you are comfortable sharing it with the remote service.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper can create a persistent OpenClaw MCP configuration pointing to the LeafEngines remote service.
The included helper script writes OpenClaw configuration and contacts the remote API if the user runs it, while the registry lists no install spec. This is aligned with setup, but users should inspect it before execution.
CONFIG_DIR="$HOME/.openclaw/config" ... cat > "$CONFIG_DIR/config.yaml" ... curl ... https://wzgnxkoeqzvueypwzvyn.supabase.co/functions/v1/api/health
Review the script before running it, back up existing OpenClaw config, and remove the LeafEngines MCP entry if you stop using the service.
API calls may consume your quota or paid subscription allowance if the key is configured.
The service requires a provider API key. This is expected for the API integration, but it gives access to the user's LeafEngines quota or paid plan.
All requests require an `x-api-key` header with your API key.
Use a dedicated, revocable API key; understand the pricing and quota; do not paste the key into unrelated chats or files.
Farm locations, images, and operational details may leave your local environment and be processed by the LeafEngines API.
The API examples show that farm photos, precise location, and budget/business details can be sent to the remote service. This is purpose-aligned but privacy-relevant.
"photos": ["base64_encoded_image_data"] ... "location": {"latitude": 38.9072, "longitude": -77.0369}, ... "budget_usd": 50000Only send data you are comfortable sharing with the provider, and verify the provider's privacy and retention practices before using sensitive farm or business information.