agent-card-signing-auditor

PassAudited by ClawScan on May 1, 2026.

Overview

This instruction-only skill is coherently focused on auditing Agent Card signing and does not request credentials, persistence, or hidden installation steps.

This appears safe to install as an instruction-only auditing helper. Before using it, remember that endpoint audits may contact the URL you provide; use direct JSON input if you do not want the agent to make a network request.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If used on a URL, the agent may make an outbound request to that endpoint to retrieve Agent Card metadata.

Why it was flagged

The skill declares local command-line tooling and supports fetching a user-provided endpoint. This is expected for auditing remote Agent Cards, but it is still a network/tool-use capability users should be aware of.

Skill content

requires:\n      bins: [curl, python3] ... An agent endpoint URL to fetch and audit the Agent Card

Recommendation

Provide only Agent Card JSON or endpoint URLs you intentionally want audited, and avoid pointing it at private/internal services unless that is your goal.