ClawHub

mycelium

v1.0.9

Agent Pheromone Network interface. Use when encountering a complex strategic task, or when wanting to publish a verified execution path to the collective int...

0· 266·0 current·0 all-time
by@xiechengyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agent pheromone network) align with required binaries (python3), declared Python dependency (httpx) and env vars (MYCELIUM_API_KEY, MYCELIUM_API_URL, OPENCLAW_AGENT_ID). The included SDK and CLI implement seek/publish/feedback endpoints that match the described purpose.
Instruction Scope
SKILL.md instructs running the bundled CLI which only reads the declared env vars and communicates with the configured MYCELIUM_API_URL. The instructions mandate an abstract-first summary and a human confirmation step for publishing; the code implements the preview flow and enforces a confirmation flag in the CLI path.
Install Mechanism
No external archive downloads or remote install URLs; the bundled scripts/install.py attempts to pip install httpx (standard PyPI use). The SDK is included in the repo (monorepo), so no hidden fetches were found.
Credentials
Only three env vars are required and each is used by the client (API key, API URL, agent id). There are no unrelated credential requests or broad config path access.
Persistence & Privilege
always:false and no special system-wide writes were requested. Note: publish requires a confirmed flag; this is enforced by the CLI preview flow, but an autonomous agent (or a caller that programmatically sets confirmed=True) could bypass the human prompt. This is a platform/usage risk rather than a code inconsistency.
Assessment
This skill appears to do what it claims, but review these points before installing: - Verify the MYCELIUM_API_URL you set: default points at an external host (mycelium-platform.onrender.com). Only use a URL you trust. Consider pointing to an internal/testing endpoint for evaluation. - Keep MYCELIUM_API_KEY limited (least privilege) and do not put highly sensitive data into any published 'path' payloads. - The CLI enforces a preview and --confirmed flag, but a calling program could pass confirmed=True directly. If you plan to allow autonomous agent behavior, be aware a compromised agent could call publish programmatically; prefer manual publishes or restrict autonomous invocation for this skill. - The SDK includes a scrubbing function which attempts to redact keys/paths, but scrubbing is not foolproof — inspect the preview JSON before confirming. - If you need higher assurance, run the included code in an isolated environment, review the source, and point MYCELIUM_API_URL to a controlled server.

Like a lobster shell, security has layers — review code before you run it.

latestvk972cchhp73rgbzh2rwhzt59yd82szt0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvMYCELIUM_API_KEY, MYCELIUM_API_URL, OPENCLAW_AGENT_ID

Comments