Farmos Marketing
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its FarmOS marketing purpose, but it relies on undeclared local authentication files/scripts and non-HTTPS API calls for sensitive financial data, so it should be reviewed before use.
Install only if you recognize and trust this FarmOS API and the local `farmos-auth.sh` helper. Verify the role-mapping file is correct, use the least-privileged role, ensure the HTTP endpoint is on a secured private network or switch to HTTPS, and be cautious with full CSV exports or revenue/settlement outputs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the role file or token handling is wrong, the agent could disclose protected farm marketing, contract, settlement, or revenue data to someone who should not receive it.
This shows the skill uses manager/admin JWTs and a local role-mapping file to gate access to protected marketing data, even though the registry declares no primary credential or required config path.
TOKEN=$(~/clawd/scripts/farmos-auth.sh admin) ... TOKEN=$(~/clawd/scripts/farmos-auth.sh manager) ... Check the sender's role in `~/.clawdbot/farmos-users.json`.
Declare the credential and role-file requirements, prefer the least-privileged manager role by default, and make the role check mandatory before using both authenticated and unauthenticated endpoints.
A missing, modified, or unsafe helper script could run unexpected local code or mishandle FarmOS credentials.
Runtime authentication depends on a local helper script outside the provided skill package; no code or install spec was supplied to verify what that helper does with privileged tokens.
TOKEN=$(~/clawd/scripts/farmos-auth.sh admin)
Bundle or document the helper with provenance, pin/audit its contents, declare it as a required dependency, and avoid running it automatically without user awareness.
Bearer tokens and financial farm data could be exposed if the network path is not otherwise protected.
The documented request sends a bearer token to an HTTP endpoint; the artifacts do not explain TLS, private-network protections, or other safeguards for this sensitive provider/API flow.
curl -H "Authorization: Bearer $TOKEN" http://100.102.77.110:8013/api/endpoint
Use HTTPS where possible, or clearly document that this endpoint is only reachable over a secured private network; avoid sending JWTs over untrusted HTTP connections.
The agent may produce or export full contract/position data, which could be sensitive if shared broadly.
The skill discloses broad read/export capability for marketing positions; this is purpose-aligned, but it can retrieve complete sensitive business records.
GET /api/positions/export?crop_year=2025 ... Returns: CSV export of all positions.
Limit outputs to the requested crop year/entity, confirm before producing full exports, and avoid sharing results with unauthorized users.