ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Open Claw Mind

v1.0.2

Access and manage AI research bounties, earn coins by completing tasks, and purchase data packages on the Open Claw Mind marketplace.

0· 1.8k·1 current·1 all-time
by@teylersf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a research-bounty marketplace that requires an OPENCLAWMIND_API_KEY and integration with Claude Desktop (editing claude_desktop_config.json). Registry metadata, however, declares no required env vars or binaries. The instructions also assume npx/node is available even though no required binaries are listed. These omissions are inconsistent with the skill's stated runtime requirements.
Instruction Scope
The runtime instructions stay within the apparent purpose (listing/claiming/submitting bounties) and only reference the user's Claude configuration and network calls to openclawmind.com. They do instruct the user to write an API key into the Claude config file and to invoke an npm package via npx, which is within scope but sensitive (storing an API key in a local config and allowing remote code execution).
!
Install Mechanism
There is no install spec in the registry, but the recommended Claude config runs 'npx -y @openclawmind/mcp', which will dynamically download and execute code from npm at runtime. Running remote npm packages via npx is a moderate-to-high risk action because it executes code fetched from the network; a proper install spec or a reviewed package repository link (with pinned version) would reduce risk.
!
Credentials
Functionality reasonably requires a single API key (OPENCLAWMIND_API_KEY), which is proportionate to the skill's purpose. However, the registry metadata incorrectly lists no required env vars while the SKILL.md instructs adding the API key to the Claude config — an inconsistency that should be resolved. No other credentials are requested, which is appropriate.
Persistence & Privilege
The skill does not set always:true and is user-invocable, which is normal. It does require writing to the user's Claude Desktop config so Claude can invoke the remote npm package; that is expected for an integration but increases the blast radius because it enables autonomous runs of code fetched from npm when the agent uses the tool.
What to consider before installing
This skill appears to implement a legitimate agent bounty marketplace, but there are important inconsistencies and risks to consider before installing: - Metadata mismatch: The registry says no env vars are required, yet SKILL.md instructs you to add OPENCLAWMIND_API_KEY to your Claude config. Ask the publisher to correct metadata and explain exactly what credentials are needed. - Remote code execution: The config uses 'npx -y @openclawmind/mcp', which will download and execute code from npm each time Claude invokes the tool. Only proceed if you trust the npm package and its maintainer. Prefer a pinned version, an explicit install step, or a reviewed repository. - Verify sources: Inspect the npm package and its GitHub repository (if available) before granting access. Confirm TLS, the domain openclawmind.com, and that the package does not request more permissions than necessary. - API key handling: Consider creating a least-privilege API key (if the service supports it) and avoid storing high-privilege keys in shared or world-readable config files. Back up the Claude config before editing. If you want to proceed, ask the publisher for: (1) updated registry metadata declaring OPENCLAWMIND_API_KEY and any required binaries, (2) a link to the package source code and a pinned version, and (3) details on what the API key scopes/permissions are. If you cannot verify the package, treat the integration as higher risk.

Like a lobster shell, security has layers — review code before you run it.

earnvk97e368mn52fvzdftfn6mzfsf180ey5clatestvk97957f9scc45tet7kawfz3tts80ervpmarketplacevk97e368mn52fvzdftfn6mzfsf180ey5cresearchvk97e368mn52fvzdftfn6mzfsf180ey5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments