AgentPathfinder
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
AgentPathfinder has a coherent audit-log purpose, but the artifacts show plaintext full tool logging, broad command/file wrappers, and a possible hardcoded shared secret that users should review carefully.
Review before installing. This tool is meant to record detailed audit trails, so assume commands, arguments, outputs, and possibly secrets can be saved locally in plaintext. Do not rely on its cryptographic integrity until the reported hardcoded secret is explained or removed, and verify the package source because registry provenance is incomplete.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audit records may not prove what the skill claims if a built-in shared secret can be reused or extracted.
The static scan reports a hardcoded API/shared secret in a core task engine file. For a tool whose security depends on HMAC signing and agent identity, a reusable embedded secret could allow signature forgery or impersonation if active.
api_key = [REDACTED](32) # 256-bit shared secret
Do not rely on the audit integrity until the maintainer removes the hardcoded secret, rotates any affected keys, and documents per-user/per-task key generation.
Secrets, command output, business data, or other sensitive tool results may be saved locally and later exposed to anyone with file access.
The skill persistently stores detailed tool context in plaintext, including possible secrets in command arguments or outputs.
Audit trails stored as plaintext JSONL... Tool call args/results visible to anyone who can read the file... if you log `exec("curl API_KEY=secret...")`, the secret is in the audit logUse only with non-sensitive tasks unless redaction, retention limits, access controls, and secure storage are added and clearly configured.
Users may trust the skill not to retain sensitive data when its core logging behavior can in fact retain sensitive tool inputs and outputs.
This broad safety claim conflicts with other artifacts stating that full tool arguments/results are logged and that secrets in commands will be stored in the audit log.
No user data, credentials, source code, or external data is ever read, transmitted, or stored.
Update the safety documentation to accurately describe what is logged, where it is stored, how long it remains, and how users can redact or delete it.
If an agent uses these wrappers, it can affect local files, execute commands, and make network requests while recording the results.
The provided executor wrapper can run commands, access URLs, and read/write files. This is relevant to an audit tool, but the operations are broad and should be explicitly user-controlled.
`exec(command, timeout)` → Runs shell command... `web_fetch(url, max_chars)`... `read_file(path)`... `write_file(path, content)`
Only allow these wrappers in trusted, scoped workflows; add clear approval gates or path/command restrictions for high-impact operations.
It is harder for users to verify that the packaged code matches a trusted upstream release.
The registry metadata does not provide a source or homepage even though the package contains executable code and documentation references external release provenance.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: 16 code file(s)
Verify the package source manually before use and ask the publisher to provide a homepage/source URL and reproducible release information.