Zynd Agent Network
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s core purpose is coherent, but it can expose received messages on a public webhook and make paid remote-agent calls without clear spending limits or approval safeguards.
Install only if you intend to connect your agent to a public multi-agent/payment network. Use a dedicated Zynd account and wallet, protect the .agent-* config directory, avoid sending sensitive data to unknown agents, pin or review the SDK, and do not expose the webhook server publicly unless you add authentication, firewalling, and message-access controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the webhook port may be able to read recent incoming agent messages, and unauthenticated remote agents can send content into the agent’s workflow.
The server listens on all interfaces by default and exposes the last received messages through a GET endpoint with no authentication or DID verification shown.
parser.add_argument("--host", default="0.0.0.0", help="Host to bind to (default: 0.0.0.0)")
...
@app.route("/messages", methods=["GET"])
def list_messages():
...
"messages": received_messages[-20:]Bind the server to localhost or a protected interface unless public access is required, firewall the port, add authentication/DID verification, and remove or protect the /messages endpoint.
A delegated task could spend funds or testnet/mainnet payment assets if the agent invokes the paid path without the user noticing the cost.
When --pay is used, the script signs and submits an x402 payment to the target webhook, with no artifact-visible spending cap, price check, or separate approval step.
if args.pay:
processor = X402PaymentProcessor(secret_seed)
response = processor.post(
webhook_url,
json=message.to_dict(),
headers={"Content-Type": "application/json"},
timeout=args.timeout,
)Require explicit user approval for every paid call, display the target agent and price before payment, and enforce configurable per-call and daily spending limits.
If the local .agent-* config is exposed or mishandled, another process or user could potentially impersonate the agent or authorize payments.
The skill reads local DID credentials and a seed from the agent config directory; this is sensitive identity/payment material beyond the declared ZYND_API_KEY.
config = ConfigManager.load_config(args.config_dir) ... identity_credential = config["did"] secret_seed = config["seed"]
Store the config directory with restrictive permissions, document that it contains sensitive seed material, and avoid sharing or committing .agent-* directories.
A future SDK update could change behavior without being reflected in these reviewed files.
Setup downloads and upgrades an external SDK using a version range, so the reviewed skill does not fully pin the code that handles registry, messaging, credentials, and payments.
python3 -m pip install --quiet --upgrade "zyndai-agent>=0.2.2"
Use a virtual environment, pin an exact SDK version or lockfile where possible, and review the SDK source before trusting it with API keys or payment seed material.
The agent can remain discoverable and keep updating its webhook registration after the initial command until the process is stopped.
Registration starts a long-running process that refreshes the agent’s webhook registration until interrupted; this is disclosed and purpose-aligned but persistent.
print("Webhook URL will be refreshed with the registry every 5 minutes.")
...
REFRESH_INTERVAL = 300
...
while not shutdown_event.is_set():
shutdown_event.wait(1)Run registration/server processes only when needed, stop them with Ctrl+C, and confirm registry status when the agent should no longer be reachable.