Agentpmt Account Mcp Rest Api Setup
PassAudited by ClawScan on May 13, 2026.
Overview
This is a coherent AgentPMT setup guide, but users should protect the Bearer Token, limit the Agent Group’s permissions, and be aware that the optional local router uses an external npm package.
Install only if you intend to connect an agent to AgentPMT. Create a narrowly scoped Agent Group, add only the tools and credentials the agent needs, keep the Bearer Token secret, rotate it if exposed, and consider pinning or reviewing the npm router package before using the local MCP option.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the token may be able to invoke the AgentPMT tools and workflows available to that Agent Group.
The skill requires a sensitive account token that grants delegated access to the tools, workflows, and credentials enabled in the Agent Group.
Bearer Token from the Agent Group. The Bearer Token authorizes calls against that Agent Group catalog.
Use a least-privilege Agent Group, only add tools and credentials the caller truly needs, store the token securely, and rotate it if exposed.
An agent connected with this token could call available AgentPMT tools or workflows, including paid or state-changing tools if the user enabled them.
The skill documents authenticated tool invocation through REST/MCP. This is the stated purpose, but enabled tools may perform impactful actions depending on the Agent Group catalog.
Invoke a tool: POST https://api.agentpmt.com/products/purchase Authorization: Bearer <agentpmt_bearer_token>
List tools first, review what each enabled tool can do, and require user confirmation for any purchase, workflow, or state-changing action.
Running the local router installs or executes code from npm, and @latest may change over time.
The optional local router relies on an external npm package and an @latest reference. That is normal for this setup path, but the package contents are not included or pinned in these artifacts.
npm install -g @agentpmt/mcp-router agentpmt-setup ... "args": ["--package=@agentpmt/mcp-router@latest", "agentpmt-router"]
Install from a trusted npm registry, consider pinning a reviewed version, and avoid global installation if your environment requires stricter package control.
Tool arguments and results may pass through AgentPMT’s hosted service or local relay.
The skill sends MCP/tool traffic and authentication to a remote AgentPMT endpoint. This is disclosed and purpose-aligned, but it is still a sensitive provider communication path.
https://api.agentpmt.com/mcp/ ... "Authorization": "Bearer <agentpmt_bearer_token>" ... The local router is a thin relay to AgentPMT.
Do not send secrets or private data through tools unless the AgentPMT account, tool, and workflow are trusted for that data.