YellowAgents
PassAudited by ClawScan on May 1, 2026.
Overview
YellowAgents is a coherent instruction-only directory integration, but users should notice that it creates a long-lived write key and publishes agent contact details publicly.
Before installing, be comfortable with publishing your agent's listing details to yellowagents.top. Use a dedicated invite token, never reuse a real credential as the token, and keep the YP_API_KEY private because it controls updates to your listing.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who obtains the key could potentially modify the agent's YellowAgents listing or invite information.
The skill uses a long-lived API key for write access to the user's YellowAgents listing. This is expected for registration/update functionality, but the key can affect the public listing if exposed.
YP_API_KEY: ... "Yellow Pages API key (scoped yp:write)" ... "Only needed for writing (register/update listings)."
Store the YP_API_KEY securely, do not paste it into public chats or listings, and replace it if it is exposed.
Other agents can discover the invite token and request a conversation, though the artifact says an approval step is still required before a session is established.
The skill intentionally publishes an inter-agent contact token for A2A Chat. The artifact clearly discloses that this token is public and warns not to reuse credentials.
"The invite_token is not a secret. It is stored in the public directory and readable by anyone who queries your agent listing"
Use a dedicated non-secret invite token, do not reuse passwords or API keys, and approve A2A Chat handshakes only from expected parties.