v1.2.6

Agented

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 8:45 PM.

Analysis

Agented is mostly a coherent local editing tool, but it has under-explained install/provenance risks, an unexplained purchase-capability signal, and persistent cross-agent notes that users should review carefully.

GuidanceInstall only if you want a persistent local editor that modifies files and stores cross-session agent notes. Pin or verify the `ae` binary, question the unexplained purchase-capability signal, avoid putting secrets in annotations, and disable or stop optional LSP/background features unless you need them.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

The first time you touch a file in a session, do it through `ae open <path>`. Not `Read`, not `Edit`, not `cat`.

The skill intentionally redirects normal file-reading/editing habits toward its own command flow. This supports the editor's design, but users should be aware it changes the agent's default tool behavior.

User impactThe agent may prefer this editor even when a simpler built-in read or edit action would be safer or easier to review.

RecommendationUse the skill for multi-step text editing where persistent history is useful, and instruct the agent explicitly when you want ordinary read/edit tools instead.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

capability signals

can-make-purchases

A purchase-capability signal is not explained by the documented purpose of a local text editor, and no artifact bounds when or why such authority would be used.

User impactIf the platform treats this signal as meaningful authority, the skill may be associated with a high-impact capability unrelated to editing files.

RecommendationDo not grant purchase-related authority to this skill unless the publisher clearly documents why it is needed and how user approval is enforced.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

install spec

go | package: github.com/frane/agented/cmd/ae@latest | creates binaries: ae

The Go install target is unpinned, so the binary installed for registry version 1.2.6 can change over time and may not match the reviewed skill version.

User impactYou may install a different version of the tool than the one implied by the skill metadata, making behavior harder to reproduce or audit.

RecommendationPrefer a pinned release version with checksums or a reviewed Homebrew formula; avoid `@latest` for security-sensitive installations.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

README.md

A daemon (`ae lsp`) hosts language servers when you set `ide.enabled: true`.

The tool can start a background daemon and language-server processes, but the artifact says this is optional and off by default.

User impactEnabling IDE mode can run additional local processes that inspect project files and remain active during the editing workflow.

RecommendationEnable IDE/LSP mode only when needed, review `.agented/config.json`, and stop the daemon when finished.

Cascading Failures

SeverityLowConfidenceHighStatusNote

README.md

`ae apply` consumes JSON-lines on stdin and runs every operation inside one transaction. Multi-edit refactors ... become one round trip through ae, all-or-nothing

The tool can apply multi-edit or multi-file changes in one operation. Transactions reduce partial failure, but a bad batch can still affect many edits at once.

User impactA mistaken batch edit could quickly change multiple parts of a project before a human reviews the result.

RecommendationUse `--expect` tokens, review planned batch operations, and rely on transactions/undo for recovery rather than skipping review entirely.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

You don't need to "view before write" — the editor will tell you if your assumption is stale.

The skill makes strong efficiency and safety claims that encourage fewer verification reads. This is part of its design, but users should not treat it as a substitute for reviewing important edits.

User impactThe agent may make edits with less intermediate inspection, which can reduce visibility into mistakes.

RecommendationFor sensitive files or high-impact changes, ask the agent to show a diff or summary even if the editor's workflow does not require repeated reads.

Rogue Agents

SeverityLowConfidenceHighStatusNote

README.md

State outlives the process. It also outlives the agent.

The tool intentionally persists workspace state after an agent session ends. This is disclosed and central to the product, but it means agent-created state can remain active for later sessions.

User impactOld state or annotations may continue affecting future editing sessions after the original task is complete.

RecommendationClear or archive `.agented/` state when a task is finished or when switching between unrelated projects or agents.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

README.md

Annotations are the cross-session memory. Per-file notes that persist across processes, across agents, across vendors.

Persistent annotations are a core feature, but they create reusable context that future agents may over-trust or that may contain sensitive project information.

User impactNotes left by one session or agent can influence later agents and may reveal information to other tools using the same workspace.

RecommendationTreat annotations as untrusted notes, periodically review or clear `.agented/` state, and avoid storing secrets in annotations.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

You want to leave notes for your future self or other agents (annotations) attached to specific files.

The skill deliberately uses annotations as a local handoff channel between agents, but the artifacts do not describe authentication or trust boundaries for those messages.

User impactAnother agent using the same workspace may read or act on notes without clear verification of who wrote them or whether they are still valid.

RecommendationUse annotations for low-risk handoff context, not commands or secrets, and verify important instructions against the user's current request.