AgentScale
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentScale appears purpose-aligned for deployment, but using it will run an npm CLI that uploads your current project to a public hosting service and uses a locally saved API key.
This skill looks coherent for deployment. Before installing or invoking it, understand that deploy uploads the current directory to AgentScale and may publish it publicly. Verify the npm package source, avoid deploying directories with secrets, keep AGENTSCALE_API_URL unset unless you trust it, and approve any credit-purchase command yourself.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your project contents leave your machine and may become reachable at a public URL.
The deploy command packages the entire current working directory and uploads it to the AgentScale API with the saved API key. This is central to the stated purpose, but it can expose unintended files if run from the wrong directory.
["czf", "-", ...excludeArgs, "."] ... fetch(url, { method: "POST", headers: { "x-api-key": apiKey, "content-type": "application/gzip" }, body: tarBuffer })Run deploy only from the intended project directory, review what will be included, and keep secrets out of the project tree.
If AGENTSCALE_API_URL is set incorrectly or maliciously, your API key and deploy uploads could go to an unintended server.
The skill explicitly allows redirecting API calls, including the API key, to another endpoint. This is disclosed, but it makes the environment variable sensitive.
AGENTSCALE_API_URL — Overrides the default API base URL. **Warning:** this redirects all API calls, including those carrying your API key, to the specified URL.
Leave AGENTSCALE_API_URL unset unless you trust the alternate endpoint, and check local environment/.env settings before deploying.
You rely on the npm package named agentscale being the intended package when the command runs.
The documented workflow executes an npm package via npx rather than a pinned install spec. This is normal for a CLI, but the executed package should be trusted because it handles code uploads and API keys.
npx agentscale deploy
Verify the npm package/repository and consider pinning a known version before using it in sensitive projects.
Running the payment command may charge a wallet or payment method.
The skill documents an optional payment command for adding credits. It is user-directed and disclosed, but it can spend real money if executed.
agentspend pay https://api.agentscale.co/add-credits ... --body '{"amount_cents": 500}'Require explicit user approval before running any agentspend or x402 payment command.