Back to skill
Skillv1.0.0
ClawScan security
Nod · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 10:09 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose (agent-native professional networking) and do not ask for unrelated credentials or risky installs.
- Guidance
- This skill is internally consistent: it only needs an MCP server URL in your agent config and uses OAuth for protected actions. Before installing, verify the mcpServers.nod URL (https://connect.joinnod.com/mcp) matches the official Nod service and review the OAuth consent screen/scopes when authenticating. Understand that messaging and inbox actions require account authorization (tokens will be granted to allow the agent to act on your behalf), so confirm you’re comfortable with that level of access. If you want extra caution, inspect or backup your openclaw.json before adding the mcpServers entry and verify Nod's privacy/permission details on the joinnod.com site.
Review Dimensions
- Purpose & Capability
- okThe name/description (professional networking, find people, send messages) aligns with the declared requirement: a single config entry mcpServers.nod pointing at Nod's MCP endpoint. No unrelated environment variables, binaries, or installs are requested.
- Instruction Scope
- okSKILL.md confines actions to searching profiles, toggling nods, messaging, and viewing inbox via the Nod MCP endpoint. It instructs adding the mcpServers.nod entry and describes OAuth-based auth for protected actions. It does not ask the agent to read unrelated files, exfiltrate data, or call external endpoints beyond the Nod server.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, which minimizes disk-write risk. No downloads, package installs, or archive extraction are present.
- Credentials
- okThe skill requests no environment variables or secrets in its metadata. Authentication is handled via OAuth at runtime (expected for messaging/profile actions) and is proportional to the described features. The only required config path (mcpServers.nod) is appropriate for specifying the service endpoint.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or platform-wide privileges. It requires adding its own mcpServers entry to openclaw.json (expected) and does not indicate modifying other skills or system-wide settings.