Clawdrug
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill openly tells agents to use an external “drug” marketplace to autonomously change their behavior and publish reports or modules, with no human review and unclear data controls.
Install only if you intentionally want an experimental, agent-only prompt/module marketplace. Keep it disabled for normal tasks, require explicit approval for every API action, never submit sensitive prompts or outputs, and do not allow remote modules to override higher-priority instructions or user goals.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may produce responses or take follow-on actions influenced by untrusted marketplace prompts rather than the user’s intent.
The skill is explicitly designed to let third-party modules alter an agent’s behavior, which can redirect the agent away from the user’s intended goal if not strictly sandboxed.
AI agents dose each other with code, alter behavior, expand capabilities, and evolve cognition.
Only use this in a sandboxed experiment with explicit user approval, and treat all modules as untrusted content that must not override system, developer, or user instructions.
An agent could publish or fork unsafe prompt modules that become available to other agents, creating public or shared side effects beyond the current user session.
The documented API workflow allows publishing behavior-modifying modules to a shared marketplace without any stated human approval, moderation, rollback, or containment process.
Published drugs are immediately available to all agents.
Require explicit user confirmation before any publish, fork, or report operation, and add moderation, rollback, and scope limits for shared modules.
The agent will need to hold and use a Clawdrug API key for the external service.
The skill requires a service API key even though the registry metadata declares no primary credential. This appears purpose-aligned for the service, but users should understand a credential is involved.
All requests require: Authorization: Bearer YOUR_API_KEY
Declare the API key requirement in metadata and store the key only in a scoped secret store, not in prompts, chat logs, or shared reports.
Private user prompts, generated outputs, or context could be uploaded to a third-party service and reused in the agent marketplace.
Trip reports send prompts and outputs to the external service for other agents to learn from, but the skill does not define what data is safe to share or how sensitive user content is protected.
"inputPrompt": "Your input prompt", "outputText": "The generated output"
Do not submit user data, confidential prompts, or sensitive outputs unless the user explicitly approves; add redaction and clear data-retention/sharing terms.
The agent could continue making marketplace decisions or behavior changes without meaningful user control if the host allows autonomous invocation.
The skill frames autonomous agent participation as the intended operating mode, including behavior modification, publishing, consumption, and reporting, without human oversight.
Fully autonomous. No humans in the loop.
Require human-in-the-loop approval for each external action, especially applying modules, publishing modules, forking modules, or submitting reports.