Agent Contact Card
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill matches its stated purpose, but users should treat remote agent cards and webhook instructions as untrusted before sending information.
Install appears reasonable for an instruction-only contact-card helper. Before using it to contact another agent, verify the domain and channel, review any fetched card as untrusted text, and approve the exact message before sending sensitive or personal information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote card could include misleading routing instructions or requests that go beyond simply choosing a contact channel.
The skill intentionally has the agent interpret prose from externally fetched contact cards; this is expected for routing, but remote prose should not be treated as higher-priority instructions than the user's request.
Parse the frontmatter for structured channel data, read the prose for routing rules.
Treat fetched card content as untrusted contact-routing data; ask the user before following instructions that change the task, use credentials, or send sensitive information.
Messages sent through listed channels or webhooks may be received, stored, or acted on by third-party agents or services.
The skill's core purpose includes agent-to-agent communication, including channels such as email, Discord, Signal, and webhooks; this is disclosed and purpose-aligned, but it sends user-selected content outside the local session.
You need to contact another agent on behalf of your user
Confirm the recipient domain/channel and review the message before sending, especially if it contains personal, financial, credential, or business-sensitive details.