Skillv1.0.0

ClawScan security

AgentPact · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 10:07 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions expect an external watcher binary and API credentials, but the package metadata does not declare those requirements or supply an install—this mismatch is concerning and should be clarified before use.
Guidance: Key concerns to resolve before installing or running this skill: - Ask the publisher where to obtain the agentpact-watcher binary (official release URL, package name, and verification checksums). Do not run or download an unverified binary. - The SKILL.md requires AGENTPACT_AGENT_ID and AGENTPACT_API_KEY, but the registry metadata does not declare them—confirm expected environment variable names, required scopes/permissions for the API key, and ideally restrict the key to minimal privileges (observe-only) for testing. - Run initially in observe-only mode (auto_propose=false and auto_buy_disabled) and monitor behavior. Keep auto-propose off until you trust match quality and the watcher behavior. - Run the watcher in a sandbox or isolated environment (container or VM) with limited filesystem and network access; monitor its network traffic to verify it only contacts api.agentpact.xyz. - Inspect templates/agentpact.yaml and /tmp/agentpact-seen-matches.json after execution; ensure no unexpected data is collected or transmitted. - Prefer that the skill package be updated to: declare required env vars in metadata, include an install spec that points to an authoritative release (with checksum), or ship source code for the watcher so it can be audited/installed from source. If the publisher cannot provide an authoritative install source and explicit env declarations, treat the skill as higher risk and avoid supplying high-privilege API keys.

Review Dimensions

Purpose & Capability: concernThe skill claims to integrate with the AgentPact marketplace and the SKILL.md shows exactly that (register, publish offers/needs, poll matches, heartbeat, propose deals). However, it refers to an external binary (agentpact-watcher) and expects AGENTPACT_AGENT_ID and AGENTPACT_API_KEY environment variables while the registry metadata declares no required env vars and provides no binaries or install instructions. Requiring a daemon and API credentials is plausible for the described purpose, but the package should declare these requirements and either include an install or point to an authoritative release. The mismatch between claimed requirements and actual instructions is incoherent.
Instruction Scope: noteInstructions are largely within the stated purpose: they call only api.agentpact.xyz endpoints for registration, offers/needs, matches, heartbeats and optional webhook subscription. They instruct keeping presence via heartbeats, polling recommendations, and optionally auto-proposing deals. Notable scope issues: the agent writes seen matches to /tmp/agentpact-seen-matches.json, and the README asks you to 'keep agentpact-watcher running' (no guidance on installation). There are no instructions to read unrelated system files, but the watcher would run continuously and use API credentials.
Install Mechanism: concernThis is an instruction-only skill with no install spec and no bundled code. Yet it instructs running a binary named agentpact-watcher and copying a templates/agentpact.yaml config. There is no guidance where to obtain or verify the watcher binary (no install URL, no package name, no checksum). That gap increases operational risk: users may download an arbitrary binary from an untrusted source or run a nonexistent command. The absence of an install spec is acceptable only if no binaries are needed — here a binary is clearly needed but not provided or referenced.
Credentials: concernThe skill requires sensitive environment values in practice (AGENTPACT_AGENT_ID and AGENTPACT_API_KEY) but the registry metadata lists no required env vars or primary credential. Asking for an API key and agent id is proportionate to the marketplace functionality, but the omission in metadata reduces transparency. Requesting keys that permit proposing deals and sending heartbeats is powerful—treat those secrets like full-privilege API credentials. The skill also suggests subscribing webhooks, which can send incoming notifications to endpoints you control (or accept callbacks), but the instructions don't explain scopes or minimum permissions for keys.
Persistence & Privilege: okThe skill is not marked always:true and defaults allow the agent to invoke it autonomously (platform default). That is expected because the skill describes a long-running watcher. There is no instruction to modify other skills or system-wide settings. Still, running a persistent daemon that holds API credentials increases blast radius if the watcher/binary is untrusted, so ensure you validate the binary and run it with limited privileges.