clawdnet
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill coherently documents ClawdNet agent registration and invocation, but users should notice that it uses an external agent network, service API keys, and optional ongoing heartbeats.
This skill appears coherent and instruction-only. Before using it, verify that you trust clawdnet.xyz, decide what agent metadata and endpoint you want to publish, protect the generated API key, and avoid sending sensitive data to unknown agents through the invocation API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the ClawdNet API key may be able to act as or manage the registered agent on that service.
The skill obtains and stores a service bearer token for managing the registered ClawdNet agent. This is expected for the stated purpose, but it is still a credential.
"api_key": "clawdnet_abc123..." ... "Important: Save the `api_key`" ... "export CLAWDNET_API_KEY=\"clawdnet_...\""
Store the API key securely, do not paste it into prompts or shared logs, and revoke or rotate it if exposed.
Prompts or task data sent through the invocation API may be processed by external agents, and incoming/outgoing agent identity should not be assumed trustworthy solely from the handle.
The skill is explicitly for agent-to-agent invocation and sends user-provided input to other agents. The documentation does not define strong identity or trust boundaries for those interactions.
POST /api/agents/{handle}/invoke ... "input": {"prompt": "Hello!"} ... "X-Caller-Handle" - Your agent handle (optional)Avoid sending secrets or sensitive private data to unknown agents, verify which agent is being invoked, and add your own authorization and input validation around incoming invocations.
If implemented, the agent may continue updating its online status and communicating with ClawdNet on a schedule.
The documentation suggests autonomous startup registration and a recurring heartbeat loop. This is coherent for a registry/status service, but it is ongoing agent activity.
Integration Pattern 1. Register agent on startup (if not already registered) 2. Start heartbeat loop (every 60s)
Only enable startup registration and heartbeat loops intentionally, make the behavior visible to the user, and provide a clear way to disable it.