JARVIS Mission Control — Free AI Agent Coordination Hub

Name/description (agent coordination hub) aligns with cloning a repo, starting a Node server, and exposing dashboards. Requiring node/npm/git is proportionate. However the README/SKILL.md describe automatic discovery of other agents, reading agent SOUL/MEMORY/IDENTITY files, parsing ~/.claude/projects/ sessions (including tokens/cost), and optionally syncing local .mission-control to missiondeck.ai — some of these data accesses go beyond a minimal 'dashboard' and imply reading sensitive files or network discovery.

Runtime instructions instruct the agent/user to clone and run init/connect scripts and start the server. They also describe auto-discovery of OpenClaw agents and polling ~/.claude/projects/ every 60s to show session tokens/cost/model, auto-reading/writing of SOUL.md / MEMORY.md / IDENTITY.md, and exposing cron job info across agents. Those are explicit file and telemetry accesses not scoped in the top-level requirements and could reveal secrets or private activity. The SKILL.md also encourages running connect-missiondeck.sh with an API key for cloud sync — that step could transmit local data to an external service.

Instruction-only skill: no install spec and no files executed by the skill engine itself. The suggested workflow clones a public GitHub repo and runs included scripts (init/connect/start). From a platform perspective this is lower-risk than arbitrary downloads, but the actual behavior depends on the contents of those scripts (not included here).

Registry metadata lists no required credentials and only optional envs (PORT, MISSION_CONTROL_DIR, OPENCLAW_CRON_FILE). Yet the instructions state the system auto-discovers and parses ~/.claude sessions and reads OpenClaw cron jobs and agent files. Accessing ~/.claude (containing tokens) or other agents' cron/jobs and SOUL/MEMORY files are sensitive actions not reflected in the declared required envs/config paths or in an explicit consent step. The README also prompts users to provide a MissionDeck API key for cloud sync, which would grant an external service access to local data — the skill asks for that in user docs but does not mark such credentials as required.

The skill does not request 'always: true' or modify other skills. It instructs the user to run a long-running server which will create a .mission-control directory (expected). The primary risk is the combination of persistent local storage plus optional cloud sync (connect-missiondeck.sh) and automatic discovery/polling (which increases data-exposure persistence). Autonomous invocation is the platform default and not a distinguishing risk here.