Janee
WarnAudited by ClawScan on May 10, 2026.
Overview
Janee is a coherent local secrets proxy, but its defaults can let an agent make broad API calls with stored credentials unless the user carefully adds restrictive policies.
Install only if you are comfortable letting a local MCP tool make API requests with credentials you store in Janee. Use least-privilege keys, avoid command-line key flags, turn off auto-approval for sensitive services, and define restrictive allow/deny rules before enabling the OpenClaw tool.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with this tool could make unintended credential-backed API calls, including account-changing or financial actions, if the user adds a powerful API key without restrictive rules.
Interactive setup defaults auto-approval to yes and creates a capability without any rules in the default object. The docs also state that no rules allow all requests, so a newly added service can become broadly usable by an agent unless the user manually restricts it.
const autoApprove = !autoApproveInput || autoApproveInput.toLowerCase() === 'y' ... config.capabilities[capName] = { service: serviceName, ttl, autoApprove, requiresReason };Default new capabilities to deny-by-default rules, avoid auto-approval for write-capable services, and require users to explicitly define allowed methods and paths before agent use.
If you store a highly privileged key, Janee can use that key on behalf of the agent; the blast radius depends on your API key scope and Janee policies.
The skill intentionally collects and stores API credentials for later agent-mediated use. This is core to the product and disclosed, but it gives the agent delegated authority over whatever services and scopes the user configures.
Follow the prompts to add your API credentials. Keys are encrypted automatically.
Use least-privilege API keys, separate read-only and write-capable capabilities, and avoid adding production or financial credentials until policies are tested.
A user following the example could expose an API key locally even though the skill is marketed as preventing key exposure.
The safety claim is strong, but the documented command-line example passes a secret as an argument. Command-line secrets can be captured in shell history, terminal logs, or process listings.
Never expose your API keys again ... janee add moltbook -u https://www.moltbook.com/api/v1 -k YOUR_KEY
Prefer interactive or secure input that does not echo or persist in shell history, and clearly warn users not to pass real keys with command-line flags.
Installing the wrong or compromised package could put stored API credentials at risk.
The skill relies on external npm packages and a globally installed CLI/plugin. This is purpose-aligned, but provenance matters because the installed code will manage secrets and make authenticated requests.
npm install -g @true-and-useful/janee ... openclaw plugins install @true-and-useful/janee-openclaw
Verify the package name, publisher, repository, and version before installation; install from trusted sources only.
Any agent allowed to use the Janee tool can ask the local MCP server to make configured API requests.
The OpenClaw plugin bridges agent tool calls into a local Janee MCP server. This is expected, but it makes OpenClaw tool permissions the control boundary for credential-backed API use.
const transport = new StdioClientTransport({ command: "janee", args: ["serve"] }); ... client.callTool({ name: "execute", arguments: { capability: params.service, method: params.method, path: params.path, body: params.body, reason: params.reason } })Only enable the Janee tool for trusted agents and pair it with restrictive Janee capabilities.
Local logs may expose what services were accessed and why, even if they do not contain the raw API key.
Janee persistently stores audit logs of API activity. This is disclosed and useful, but service names, endpoints, statuses, and reasons can reveal sensitive operational details.
Everything is logged — full audit trail ... All requests are logged to `~/.janee/logs/`.
Protect ~/.janee, review log retention needs, and avoid putting secrets or unnecessary personal data in request reasons.