Agentpmt Account Mcp Rest Api Setup
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the token may be able to invoke the AgentPMT tools and workflows available to that Agent Group.
The skill requires a sensitive account token that grants delegated access to the tools, workflows, and credentials enabled in the Agent Group.
Bearer Token from the Agent Group. The Bearer Token authorizes calls against that Agent Group catalog.
Use a least-privilege Agent Group, only add tools and credentials the caller truly needs, store the token securely, and rotate it if exposed.
An agent connected with this token could call available AgentPMT tools or workflows, including paid or state-changing tools if the user enabled them.
The skill documents authenticated tool invocation through REST/MCP. This is the stated purpose, but enabled tools may perform impactful actions depending on the Agent Group catalog.
Invoke a tool: POST https://api.agentpmt.com/products/purchase Authorization: Bearer <agentpmt_bearer_token>
List tools first, review what each enabled tool can do, and require user confirmation for any purchase, workflow, or state-changing action.
Running the local router installs or executes code from npm, and @latest may change over time.
The optional local router relies on an external npm package and an @latest reference. That is normal for this setup path, but the package contents are not included or pinned in these artifacts.
npm install -g @agentpmt/mcp-router agentpmt-setup ... "args": ["--package=@agentpmt/mcp-router@latest", "agentpmt-router"]
Install from a trusted npm registry, consider pinning a reviewed version, and avoid global installation if your environment requires stricter package control.
Tool arguments and results may pass through AgentPMT’s hosted service or local relay.
The skill sends MCP/tool traffic and authentication to a remote AgentPMT endpoint. This is disclosed and purpose-aligned, but it is still a sensitive provider communication path.
https://api.agentpmt.com/mcp/ ... "Authorization": "Bearer <agentpmt_bearer_token>" ... The local router is a thin relay to AgentPMT.
Do not send secrets or private data through tools unless the AgentPMT account, tool, and workflow are trusted for that data.