v1.0.0

agent-card-signing-auditor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:56 AM.

Analysis

This instruction-only skill is coherently focused on auditing Agent Card signing and does not request credentials, persistence, or hidden installation steps.

GuidanceThis appears safe to install as an instruction-only auditing helper. Before using it, remember that endpoint audits may contact the URL you provide; use direct JSON input if you do not want the agent to make a network request.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

requires:\n      bins: [curl, python3] ... An agent endpoint URL to fetch and audit the Agent Card

The skill declares local command-line tooling and supports fetching a user-provided endpoint. This is expected for auditing remote Agent Cards, but it is still a network/tool-use capability users should be aware of.

User impactIf used on a URL, the agent may make an outbound request to that endpoint to retrieve Agent Card metadata.

RecommendationProvide only Agent Card JSON or endpoint URLs you intentionally want audited, and avoid pointing it at private/internal services unless that is your goal.