Agent Signet ID
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Signet API guide, but it uses an API key and can send or update Signet account and reputation data.
This skill is reasonable to install if you intend to use Agent Signet. Before using it, set SIGNET_API_KEY carefully, only send data to api.agentsignet.com, approve any write actions such as transaction reporting or key rotation, and keep metadata free of secrets or personal information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used unintentionally, the agent could change Signet trust records, update configuration, or rotate a key in ways the user did not mean to perform.
The skill documents mutating API operations that can affect Signet reputation data, agent configuration, or credential state. These actions are disclosed and purpose-aligned, but they are not read-only.
Report a transaction outcome to update your score ... Report configuration changes ... Generates a new API key and immediately invalidates the old one
Require clear user intent before registration, transaction reporting, configuration updates, or key rotation, and review request payloads before sending them.
Anyone or any agent with the SIGNET_API_KEY could use the documented authenticated Signet endpoints for that account.
The skill relies on an account-scoped bearer token and can access Signet operator profile information and owned agents. This is expected for the integration, but it is sensitive account authority.
Authorization: Bearer $SIGNET_API_KEY ... Returns your operator profile and all agents you own.
Store SIGNET_API_KEY securely, use it only with api.agentsignet.com, avoid logging it, and rotate it if it may have been exposed.
Sensitive information placed in transaction metadata could be transmitted to Signet.
Transaction metadata may be sent to the external Signet API. The artifact clearly warns users not to include sensitive data, which makes this a disclosed data-sharing surface rather than a hidden one.
The `metadata` field is for non-sensitive operational context only ... Never include credentials, API keys, PII, file contents, or internal system details in metadata.
Keep transaction metadata minimal and non-sensitive; do not include secrets, personal data, file contents, prompts, or internal system details.