Anyway Traces
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for adding Anyway tracing, but users should review the external docs and what telemetry the SDK sends.
Install this only if you intend to add Anyway observability to an application. Before using it in a real project, review the official docs, confirm what trace data is collected and retained, configure redaction if needed, and keep API keys in a secrets manager or environment variables.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
LLM call traces or related metadata may leave the user's environment and be sent to Anyway's service when the SDK is configured.
The skill discloses that the SDK instruments LLM provider calls and uses an external collector endpoint, which is central to observability but creates a sensitive telemetry data flow.
- The collector endpoint is `https://collector.anyway.sh/` - The SDK auto-instruments calls to OpenAI, Anthropic, Cohere, Bedrock, Vertex AI, and other providers
Before enabling tracing, review Anyway's documentation for exactly what is captured, redaction options, retention, and whether prompts, responses, or user data are included.
Improperly scoped or exposed API keys could give the SDK or application more access than intended.
The skill anticipates API key or secret configuration. This is expected for SDK setup and the guidance is safe, but credential handling remains sensitive.
- Never hardcode API keys — use environment variables or a secrets manager
Use least-privilege keys where available, store them in a secrets manager or environment variables, and avoid committing them to source control.
The agent may follow updated instructions from docs.anyway.sh when installing or configuring the SDK.
The skill relies on remote documentation for setup and usage instructions. This is normal for a documentation-driven SDK skill, but the remote content is outside the submitted artifact and can change.
Fetch the complete documentation index at: https://docs.anyway.sh/llms.txt ... Fetch the relevant page(s) below for up-to-date installation, configuration, and usage instructions
Use the official Anyway documentation, review installation steps before applying them, and pin SDK versions in production projects where appropriate.