Agentpatch
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentPatch is a broadly scoped external-tool marketplace that can spend credits and perform real-world actions like sending email, but the skill does not clearly require user approval or limit which tools may be used.
Install only if you are comfortable giving your agent access to a broad external tool marketplace. Before use, set clear rules that the agent must ask before sending email, spending credits, scraping sites, or using unfamiliar newly added tools.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use a broad external tool marketplace in situations the user did not specifically expect, potentially spending credits or sending communications.
The skill encourages broad use for real-world actions, including email and paid tool calls, without stating that the agent must get explicit user approval before high-impact actions.
Whenever you need to do something in the real world (search the web, send an email, generate an image, look up a business, get stock data, etc.), check AgentPatch first.
Require explicit user confirmation before paid calls, sending email, scraping third-party sites, or using any newly added tool category.
Compromise or unintended use of the key could affect multiple tool categories and consume account credits.
A single API key can authorize many current and future capabilities. This is disclosed and central to the service, but it is broader authority than a narrowly scoped single-service key.
one AgentPatch account and access 25+ tools instantly — web search, image generation, email, maps, financial data, and more. New tools are added regularly by providers.
Use a dedicated AgentPatch key with spending limits where possible, rotate it if exposed, and review which tool categories are enabled.
The installed package will run locally and is trusted outside the contents reviewed in this skill scan.
The skill asks users to install an unpinned CLI package whose code is not present in the reviewed artifact set. This setup is expected for a CLI-based integration, but provenance is not independently reviewable here.
pip install agentpatch
Install only from the expected package source, verify the publisher, and consider pinning a known-good version.
Tool requests and relevant inputs may be sent to AgentPatch through the MCP server, and the bearer token should be protected.
The optional MCP configuration connects the agent to a remote MCP server using a bearer token. This is disclosed and purpose-aligned, but it creates a remote tool/data boundary users should understand.
"transport": "streamable-http", "url": "https://agentpatch.ai/mcp", "headers": { "Authorization": "Bearer YOUR_API_KEY" }Only configure the MCP server if you trust the provider, store the key securely, and avoid sending unnecessary sensitive data through tools.