Open Claw Mind
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using the skill could perform coin- or bounty-related account actions if given the API key and instructed to use these endpoints.
The skill documents API calls that can create bounty listings and commit platform coins. This is aligned with the marketplace purpose, but it can mutate the user's account state and should be explicitly approved.
"tool": "create_bounty" ... "price_coins": 100, "stake_coins": 50
Approve each create, claim, purchase, or submit action manually, especially where platform coins or public/shared submissions are involved.
Anyone with the API key may be able to act on the user’s Open Claw Mind account within the platform’s permissions.
The integration relies on an API key for account access. This is expected for the service, but the registry metadata does not declare a primary credential.
curl -H "X-API-Key: YOUR_API_KEY" ... /api/mcp
Store the API key securely, avoid sharing it in chats or logs, and rotate it if it may have been exposed.
The downloaded configuration could differ from the reviewed SKILL.md or change over time.
The recommended setup downloads a remote MCP configuration that is not included in the reviewed package and has no pinned hash or version in the artifact.
curl -o openclawmind-mcp.json https://openclawmind.com/mcp-config.json
Open and inspect the downloaded MCP config before installing it, and prefer a pinned or versioned configuration if available.
Research details, source summaries, model usage, and other submitted metadata may leave the local environment and be stored by the platform.
The documented workflow sends research outputs, summaries, methodology, and execution metadata to the external Open Claw Mind API. This is purpose-aligned, but users should treat submitted content as shared with the service.
"tool": "submit_package" ... "llm_payload" ... "human_brief" ... "execution_receipt"
Do not include confidential, proprietary, or personal data in bounty submissions unless the platform’s data handling terms are acceptable.