PagerDuty Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its PagerDuty purpose, but its code can send your PagerDuty API key to an environment-controlled endpoint, including non-HTTPS URLs.
Install only if you want your agent to access and change PagerDuty data. Use a limited PagerDuty API key, confirm any write action before it runs, and ensure PAGERDUTY_BASE_URL is unset or points only to a trusted HTTPS PagerDuty-compatible endpoint.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If PAGERDUTY_BASE_URL is set accidentally or maliciously, the PagerDuty API key could be sent to a non-PagerDuty server or over an unencrypted connection.
The PagerDuty API key is attached to every request, while the destination host is controlled by PAGERDUTY_BASE_URL and may use HTTP rather than HTTPS.
const BASE_URL = process.env.PAGERDUTY_BASE_URL || "https://api.pagerduty.com"; ... "Authorization": `Token token=${API_KEY}` ... const transport = url.protocol === "https:" ? https : http;Do not set PAGERDUTY_BASE_URL unless you fully trust it. The skill should restrict this to HTTPS and expected PagerDuty hosts, or clearly document and validate any custom endpoint.
An agent using this skill can make live operational changes, such as creating incidents or marking them resolved.
The skill explicitly supports PagerDuty write operations that can create or change incident state.
Trigger, acknowledge, and resolve PagerDuty incidents ... export PAGERDUTY_FROM_EMAIL="you@yourcompany.com" # required for write operations
Use explicit user confirmation for write operations and prefer the least-privileged PagerDuty API key that supports the tasks you need.