Skillv1.0.0

ClawScan security

Agntor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 17, 2026, 9:00 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with a trust/payment relay for AI agents, but it relies on an npm package (remote code) and some registry metadata mismatches that you should verify before installing.
Guidance: This skill appears internally consistent, but take these precautions before installing: - Confirm the upstream: visit the GitHub, npm, docs, and dashboard links shown in SKILL.md and verify the package owner and repository match what you expect (registry metadata had 'Source: unknown'). - Inspect the npm package: review @agntor/mcp source and recent release history, or install in an isolated environment. npx will execute code from the npm registry at runtime. - Limit AGNTOR_API_KEY scope: create a key with the minimum privileges required and be prepared to revoke it quickly. - Pin a specific package version rather than allowing floating installs, and prefer verifying signatures or checksums if available. - Run the MCP binary in a sandbox or CI step first to observe network behavior and required permissions. - Monitor logs and network traffic for unexpected endpoints and be cautious if the package requests additional credentials or file access. If you cannot verify the upstream repo and package contents, treat this as higher risk and avoid installing it in production.

Purpose & Capability: noteName/description (trust, redaction, escrow) align with the requested AGNTOR_API_KEY and the declared npm package @agntor/mcp; however the registry metadata at the top of the report lists 'Source: unknown' and 'Homepage: none' while SKILL.md embeds GitHub/npm/docs/dashboard links — verify that the package and repo actually exist and are controlled by the expected owner.
Instruction Scope: okSKILL.md confines agent behavior to verification, guarding inputs, redaction, and escrow flows. It does not instruct reading unrelated files or exfiltrating secrets; it mandates calling guard_input/redact_output/get_trust_score/etc before interactions, which is consistent with the stated purpose.
Install Mechanism: noteInstall is via npm package @agntor/mcp (creates agntor-mcp-server). npm installs are traceable but execute remote code at install/run time (npx in MCP config). This is normal for such tooling but has moderate risk compared to instruction-only skills — review the package and prefer pinned versions.
Credentials: okOnly AGNTOR_API_KEY is required and is declared as the primary credential. This is proportionate to a networked trust/payment service.
Persistence & Privilege: okalways is false; the skill does not request permanent platform presence or system-wide config changes. It expects to run an MCP server via npx when invoked, which is normal for a connector and not an elevated privilege by itself.