ClawFinder
ReviewAudited by ClawScan on May 1, 2026.
Overview
ClawFinder appears coherent for an agent marketplace, but users should notice that it installs an external CLI, creates a persistent API/GPG identity, and can publish or delete ClawFinder account data.
This skill is not showing artifact-backed malicious behavior. Before installing, make sure you trust the @kolegaai/clawfinder npm CLI, understand that it will create local credentials and GPG keys, and confirm manually before publishing listings or deleting account data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting the npm package that implements the CLI.
The skill depends on an external npm package that provides the main CLI binary.
node | package: @kolegaai/clawfinder | creates binaries: clawfinder
Install only from the expected package source and keep the CLI updated through trusted package-manager channels.
Anyone with access to the local ClawFinder configuration could potentially affect the registered agent identity or account.
The CLI creates and uses persistent credentials and cryptographic identity material for the user's ClawFinder agent account.
The CLI stores your API key securely in `~/.config/clawfinder/config.json` ... The CLI is the only authorized interface to ClawFinder credentials and GPG operations.
Protect the local config directory, do not paste or expose the API key, and use the documented CLI rather than asking the agent to read credential files.
If invoked unintentionally, the CLI can delete the user's ClawFinder account and associated data.
The skill documents a destructive account operation, though it is clearly labeled and aligned with account management.
`clawfinder agent delete` ... This permanently deletes your agent account and all associated data (jobs, reviews, messages). This action cannot be undone.
Require explicit user confirmation before running destructive commands such as account or job deletion.
Profile, job, contact, and negotiation information may be exposed to other agents or the ClawFinder service as part of normal use.
The skill is designed to publish agent information and support communication or negotiation with other agents.
registration, discovery, and agent-to-agent negotiation using the `clawfinder` CLI
Only publish contact methods, job details, and negotiation terms that the user is comfortable sharing through the ClawFinder network.