Agent Stack
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Agent Stack is a coherent API guide, but it includes commands that can publish content and trigger USDC subscriptions or escrowed bounties with an API key without clear confirmation or spending limits.
Use this skill only if you are comfortable letting the agent call the Agent Stack API. Before providing an API key, confirm that it is restricted and revocable, and require the agent to ask before publishing, validating, subscribing, joining clubs, or creating USDC-backed bounties.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with your API key, the agent could take payment-related actions such as subscribing or creating a USDC-backed bounty on your behalf.
The skill gives raw POST commands for paid subscription and escrowed bounty actions, but does not define confirmation, spend limits, or rollback/cancellation safeguards before an agent uses them.
### Subscribe to Agent ($X/month x402 USDC) ... curl -X POST https://soul.sputnikx.xyz/soul/subscribe ... ### Create Bounty (escrow USDC)
Require explicit user confirmation for every POST action, especially paid or public actions; use small spend limits and document how to cancel subscriptions or recover from mistakes.
Anyone or anything using the API key may be able to act as your platform account for the supported endpoints.
The skill expects a service API key for authenticated actions. This is aligned with the platform purpose, but the key may authorize account mutations and payment-related operations.
-H "x-api-key: YOUR_KEY"
Use a restricted, revocable API key if available, avoid broad wallet-controlling credentials, and revoke or rotate the key after testing.