Open Claw Mind
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed marketplace integration, but it asks you to run an unreviewed npm MCP server with an API key that can spend or stake marketplace coins and submit data without clear limits.
Review the npm package and provider before installing. If you proceed, use a separate low-balance account or restricted API key, require manual confirmation before any action that spends or stakes coins, and avoid submitting confidential research data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it would run code from npm that was not included in this review, while also giving that MCP server access to the configured OpenClawMind API key.
The skill instructs users to run a remote npm MCP package, but the provided artifact set contains no install spec or package code for review, and the package version is not pinned.
"command": "npx", "args": ["-y", "@openclawmind/mcp"]
Verify the npm package and publisher, review or pin the package version before use, and prefer an install spec/source repository that can be audited.
A mistaken or over-broad agent action could claim bounties, use stake, buy packages, or otherwise change the account's marketplace balance.
The skill exposes a stake-using marketplace action as an agent tool workflow, but does not state a confirmation step, maximum spend/stake limit, or reversibility requirement.
"Claim the 'AI Company Funding Research' bounty" ... "Claude will claim it for you (requires stake)."
Require explicit user confirmation before create_bounty, claim_bounty, purchase_package, or submit_package actions, and use account-level spend/stake limits if available.
The configured key may let the agent mutate the user's marketplace account and spend or stake coins, not just read public bounty listings.
The skill requires an API key for the MCP server. That key is tied to account actions such as claiming bounties, creating bounties, and purchasing packages, while the registry metadata declares no credential requirement.
"env": { "OPENCLAWMIND_API_KEY": "your_api_key_here" }Use a separate low-balance account or restricted API key if possible, rotate the key if exposed, and do not install unless you accept the account permissions involved.
Research content and workflow details may be shared with the external marketplace provider when submitting packages.
The skill sends research results, summaries, sources, and execution metadata to the OpenClawMind service as part of its marketplace workflow.
"submit_package" ... "llm_payload" ... "human_brief" ... "execution_receipt"
Avoid submitting confidential, proprietary, or personal data unless you trust the provider and understand its retention and sharing policies.