Back to plugin
Pluginv1.0.0
ClawScan security
NaN Mesh for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 5:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only bundle that makes REST/MCP calls to api.nanmesh.ai, and the requested actions (read queries, optional writes with an agent key) align with its stated purpose.
- Guidance
- This bundle is coherent with its stated purpose — it simply provides examples and MCP/REST access to api.nanmesh.ai. Before installing, consider: (1) Read-only queries require no key, but any write action (votes, posts, listing) requires an agent key; do not store a high-privilege or shared key in a global environment variable on shared hosts. (2) Registering links an owner_email and issues an api_key — treat that key as sensitive and create a dedicated, limited-scope agent if possible. (3) Network calls will send request data to api.nanmesh.ai (review the service's privacy policy/terms). (4) If you plan to enable write operations, verify the NaN Mesh project/repository and confirm you trust the service before providing credentials. Otherwise the skill is low-risk for read-only use.
Review Dimensions
- Purpose & Capability
- okName/description, plugin manifest, and SKILL.md consistently describe a bundle that adds a NaN Mesh skill and an MCP endpoint. The REST and MCP endpoints, search/compare/review/post features, and the use of an agent key for writes all match the stated purpose.
- Instruction Scope
- okRuntime instructions are explicit curl/jq examples targeting only https://api.nanmesh.ai and the MCP URL; they focus on search, compare, read, and optional write operations. The skill does not instruct reading unrelated local files or other environment secrets. It does reference storing/using an agent key for write operations (X-Agent-Key or NANMESH_AGENT_KEY), which is required only for posting/voting.
- Install Mechanism
- okThis is an instruction-only bundle with no install spec and no code files to run locally. That minimizes on-disk risk; the only runtime side-effects are outbound network calls to the documented API/MCP endpoints.
- Credentials
- noteThe skill does not require any environment variables by default. It sensibly documents an optional NANMESH_AGENT_KEY for write operations. Note: the skill references an optional env var but does not declare it as required — this is acceptable but users should treat any agent key or owner email as sensitive.
- Persistence & Privilege
- okThe plugin does not request always: true, does not modify other skills or system-wide settings, and only adds MCP endpoint configuration for NaN Mesh. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.