Skillv1.0.9

ClawScan security

mycelium · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 9:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and required environment variables are consistent with a 'pheromone' agent collaboration client; nothing obvious is requesting unrelated credentials or performing unexpected installs.
Guidance: This skill appears to do what it claims, but review these points before installing: - Verify the MYCELIUM_API_URL you set: default points at an external host (mycelium-platform.onrender.com). Only use a URL you trust. Consider pointing to an internal/testing endpoint for evaluation. - Keep MYCELIUM_API_KEY limited (least privilege) and do not put highly sensitive data into any published 'path' payloads. - The CLI enforces a preview and --confirmed flag, but a calling program could pass confirmed=True directly. If you plan to allow autonomous agent behavior, be aware a compromised agent could call publish programmatically; prefer manual publishes or restrict autonomous invocation for this skill. - The SDK includes a scrubbing function which attempts to redact keys/paths, but scrubbing is not foolproof — inspect the preview JSON before confirming. - If you need higher assurance, run the included code in an isolated environment, review the source, and point MYCELIUM_API_URL to a controlled server.

Purpose & Capability: okName/description (agent pheromone network) align with required binaries (python3), declared Python dependency (httpx) and env vars (MYCELIUM_API_KEY, MYCELIUM_API_URL, OPENCLAW_AGENT_ID). The included SDK and CLI implement seek/publish/feedback endpoints that match the described purpose.
Instruction Scope: okSKILL.md instructs running the bundled CLI which only reads the declared env vars and communicates with the configured MYCELIUM_API_URL. The instructions mandate an abstract-first summary and a human confirmation step for publishing; the code implements the preview flow and enforces a confirmation flag in the CLI path.
Install Mechanism: okNo external archive downloads or remote install URLs; the bundled scripts/install.py attempts to pip install httpx (standard PyPI use). The SDK is included in the repo (monorepo), so no hidden fetches were found.
Credentials: okOnly three env vars are required and each is used by the client (API key, API URL, agent id). There are no unrelated credential requests or broad config path access.
Persistence & Privilege: notealways:false and no special system-wide writes were requested. Note: publish requires a confirmed flag; this is enforced by the CLI preview flow, but an autonomous agent (or a caller that programmatically sets confirmed=True) could bypass the human prompt. This is a platform/usage risk rather than a code inconsistency.