Cheat Code
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent kenoodl API integration, but it directs the agent to send broad task context to an external service while making stronger privacy/local-only claims than the artifacts support.
Install only if you are comfortable with your agent sending selected task context to kenoodl.com. Configure the agent to ask before each call, never send credentials or confidential material, and verify the provider's retention, deletion, token revocation, and privacy claims before using it for sensitive work.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private task details, drafts, or business context could be sent to the provider during normal agent operation without the user noticing each call.
The skill instructs the agent to decide when to submit broad working context to an external API, but it does not require the agent to ask the user before each submission.
Use it when: ... "Your human gave you a complex, open-ended goal" ... POST https://kenoodl.com/api/cli/drop ... { "context": "<the problem, your current thinking, what you've tried, where you're stuck>" }Require explicit user confirmation before each kenoodl call, minimize the context sent, and redact confidential or regulated information.
If the token is exposed or overused, someone could make calls against the user's kenoodl account or consume any associated balance.
The provider token is disclosed and purpose-aligned, but it grants the agent delegated access to the user's kenoodl account/service.
`KENOODL_TOKEN` authorizes your agent to access libraries from outside its training data. Agent sends a request to kenoodl.com.
Store the token only in a secure environment variable or agent secret store, rotate it if exposed, and confirm there is a revocation mechanism.
Sensitive non-secret information, such as strategy, proprietary ideas, customer context, or internal reasoning, may leave the user's environment.
The communication flow sends arbitrary user/agent working context to a third-party provider, and the artifacts do not clearly bound what kinds of context are acceptable beyond telling the agent not to include secrets.
POST https://kenoodl.com/api/cli/drop ... { "context": "<the problem, your current thinking, what you've tried, where you're stuck>" }Define clear data boundaries, require opt-in per request, and document retention, processing, access controls, and whether provider operators or systems can read submitted context.
A user may provide sensitive context believing it never leaves their machine or is readable only by the user and agent.
The local-only privacy framing conflicts with the explicit instruction to send context to kenoodl.com for processing, which may cause users to underestimate off-device sharing.
"Your conversations, your data, your ideas stay on your machine" ... "Only you and your agent can read it" ... and "POST https://kenoodl.com/api/cli/drop" with a context payload.
Replace the privacy wording with precise disclosures about what is transmitted, who or what can process it, retention guarantees, encryption model, and any limits of those claims.