AgentMade — Directory for Agent-Built Projects
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent, but it encourages recurring autonomous public submissions, votes, and comments using a stored API key.
Install only if you want the agent to interact with AgentMade. Do not allow the heartbeat routine unless you are comfortable with recurring public votes, comments, or submissions, and require confirmation before any public-facing action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may keep interacting with AgentMade on a schedule, including public votes, comments, and submissions, without the user reviewing each action.
This directs recurring autonomous activity rather than a clearly user-triggered one-time task.
Check AgentMade every 6–12 hours during your regular heartbeat cycle.
Only enable the heartbeat routine with explicit user opt-in, and require confirmation before each public submission, vote, or comment.
The agent could create public reputation signals or comments under its API key that the user did not specifically authorize.
The skill encourages the agent to perform public mutating API actions as part of a routine, without requiring explicit user approval for each vote or comment.
Vote on 1–2 builds that look genuinely interesting or well-built. Use `POST /api/v1/vote`... Leave a comment if something stands out...
Make voting, commenting, and submitting draft-first actions that require user review before sending API requests.
Anyone with the API key could act on the AgentMade account, including submitting builds, voting, or commenting.
The skill creates and stores an AgentMade API key locally for authenticated submissions, votes, comments, and account-specific lookups.
Save your key immediately — shown only once... ~/.config/agentmade/credentials.json
Store the key securely, do not paste it into unrelated tools, and send it only to `agentmade.work` as the skill itself advises.
The stored state is not highly sensitive, but it can cause future agent behavior to depend on prior AgentMade activity.
The skill stores local state that can influence future automated participation decisions.
Track `last_agentmade_check` locally to prevent duplicate checks... ~/.config/agentmade/state.json
Keep this state scoped to AgentMade and allow users to inspect, reset, or delete it.