Verigent
ReviewAudited by ClawScan on May 10, 2026.
Overview
Verigent has a coherent reputation-checking purpose, but it also documents unreviewed MCP installation and paid or public reputation-changing actions without clear confirmation boundaries.
Before installing, decide whether you trust Verigent as an external reputation authority. Do not enable the recommended MCP server without reviewing and pinning the package, and require explicit approval for any paid request or action that reports, slashes, rates, registers, or audits an agent or skill.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue, pause, or discourage a transaction based on Verigent's score rather than only on the user's direct instruction.
The skill tells the agent to gate future actions based on Verigent's external recommendation. This is purpose-aligned for a reputation checker, but it makes an external score influential over user workflows.
You MUST use `check_reputation` ... Follow these rules strictly: ... If `recommendation` is `PROCEED`: Continue normally ... If ... `REFUSE`: ... I strongly advise against this transaction.
Treat the score as advisory for high-stakes actions and require explicit user confirmation before relying on it to proceed or refuse.
A mistaken or overly autonomous report, slash, rating, registration, or audit could spend funds or affect another agent's public reputation.
The documented API includes write actions that can affect third-party reputations and paid actions. The artifacts do not show a clear requirement for user approval, reversal, or containment before an agent submits these actions.
`POST /api/v1/report` — Feeds the reputation graph ... `type`: `"handshake"` ... or `"slash"` ... `POST /api/v1/skills/:skillId/audit` — Premium Security Audit ... `$5.00 USDC` ... `Slash events produce permanent trust decay`
Require explicit user approval for any write, slash, rating, registration, audit, or paid request, and provide a way to review the exact payload before submission.
Enabling the MCP server could execute external code with the user's local MCP permissions and access to any configured environment values.
The README recommends running an unpinned external npm package as an MCP server, but that package's code is not present in the reviewed skill and there is no install spec tying it to a reviewed version.
"command": "npx", "args": ["-y", "@verigent/mcp-server"]
Verify the npm package provenance, pin a specific version or digest, review its code, and only enable it in a restricted environment.
Queries and payments may be linked to the configured agent ID and wallet addresses.
The skill expects agent identity and wallet/payment-related values. This is coherent with the stated payment and reputation purpose, but it is sensitive account context and is not reflected in the registry requirements shown.
requires: env: - X_AGENT_ID - X402_WALLET_ADDRESS - SOLANA_WALLET_ADDRESS
Use a dedicated agent ID and wallet where possible, and do not provide broader credentials than the service needs.
Transaction outcomes, task identifiers, amounts, and agent relationships may be disclosed to Verigent when reports are submitted.
The reporting flow sends agent and transaction metadata to an external provider. This is expected for a reputation service, but the artifact does not describe retention or minimization beyond linking to a privacy policy.
Base URL: `https://verigent.link` ... `POST /api/v1/report` ... `metadata`: { `taskId`: `abc123`, `amountUSDC`: 10 }Send only the minimum metadata needed and avoid including private task details unless the user has approved sharing them.