Back to skill
Skillv0.1.0
ClawScan security
DualAgentSolver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 2:52 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill generally matches its stated purpose (two-agent problem solving and storing the result in memory) but there are inconsistencies and data-exfiltration risks you should understand before installing.
- Guidance
- What to check before installing/using this skill: - Review and trust the MCP endpoint: the script sends your query, pulled context, and final solution to OPENBRAIN_MCP_URL and uses tools exposed by that MCP. If you set OPENBRAIN_MCP_URL to anything other than a trusted localhost instance, you may be transmitting sensitive data off-host. - OpenAI usage is optional but explicit: if you set OPENAI_API_KEY the script will call api.openai.com and send prompt content; only provide that key if you accept that. The skill does not redact sensitive data before sending. - Verify the 'openclaw' binary: the script runs subprocess 'openclaw agent'. Ensure that binary is present, trusted, and behaves as you expect. The skill metadata did not declare this required binary — treat that as a documentation gap. - Memory persistence: the skill creates/inserts into public.memories. If you are concerned about long-term storage of queries/results, do not run it or modify the code to avoid the write. - Inspect the included script before running: there is no installer, so review scripts/dual_agent_solver.py to confirm it matches your risk tolerance and to change behavior (e.g., disable memory writes, force localhost MCP, or remove OpenAI calls). - If you want to proceed: run the script in a sandboxed environment first (with OPENBRAIN_MCP_URL pointed to a local/test MCP) and without OPENAI_API_KEY to observe behavior. Add explicit required env var/binary declarations in your deployment policy or avoid giving it network access if you do not trust remote endpoints.
Review Dimensions
- Purpose & Capability
- concernThe skill's goal (run two agents, produce a merged solution, and store it in Open Brain memory) matches what the code does. However the package metadata declares no required binaries or env vars while the runtime uses the 'openclaw' CLI and several environment variables (OPENBRAIN_MCP_URL, OPENBRAIN_MCP_TOKEN, OPENAI_API_KEY). The missing declarations are an incoherence that reduces transparency.
- Instruction Scope
- concernSKILL.md and the script instruct the agent to: call an MCP endpoint (OPENBRAIN_MCP_URL) to run tools (search_docs, execute_sql), optionally call the external OpenAI API, run the local 'openclaw agent' binary, and persist results into public.memories. Those actions go beyond purely local reasoning: they transmit user query/context to external endpoints (MCP and optionally api.openai.com) and write persistent memory. This is within the skill's functional scope but has potential privacy/exfiltration implications and should be explicitly documented and trusted.
- Install Mechanism
- okNo install spec (instruction-only + code file) — nothing is downloaded or installed automatically. This minimizes install-time risk. The included Python script will run on invocation; review it before executing.
- Credentials
- concernThe script uses several environment variables (OPENBRAIN_MCP_URL, OPENBRAIN_MCP_TOKEN, OPENAI_API_KEY, SOLVER_SECOND_MODEL, OPENBRAIN_SQL_TOOL, OPENBRAIN_CONTEXT_TOOL) but the skill metadata lists none. Requesting an MCP URL/token and an OpenAI key is plausible for its behavior, but the metadata omission is misleading. Especially important: if OPENBRAIN_MCP_URL is pointed at a remote or untrusted endpoint, the skill will send queries, context, and the final outcome to that endpoint and will write memory there via SQL tool calls.
- Persistence & Privilege
- noteThe skill intentionally writes results into public.memories (creates table if missing and inserts outcome). That persistent write is consistent with the stated behavior (stores solution into Open Brain memory). It does not request 'always: true'. Still, persistence means private or sensitive query data will be stored; confirm you want that data kept and where (the MCP-backed data store).