Agent Reputation Checker
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill should be reviewed before use because it uses bundled and local platform credentials, and some checks appear to score a fixed or self account instead of the agent you asked about.
Before installing, treat the output as untrusted for payment or safety decisions until the skill removes hardcoded credentials, declares any local credential use, and verifies that every platform lookup actually checks the agent name you provide.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The trust score could be based on the wrong account, which may mislead users making payment or collaboration decisions.
The code shows some platform checks using a fixed or self account rather than the user-supplied agent name, despite the skill being presented as a reputation check for a named agent.
body={"agent_id": "bro-agent", "api_key": COLONY_API_KEY} ... "https://thecolony.cc/api/v1/agents/me" ... "use /agents/me for self-check"Only rely on the score after the skill uses target-specific lookups for every platform, or clearly labels self-checks and excludes them from the target agent's score.
Requests may run under unknown bundled accounts or shared API quotas, and users cannot scope, rotate, or revoke those credentials themselves.
The script contains literal provider API credentials while the registry metadata declares no primary credential or required environment variables.
COLONY_API_KEY = "col_..."; CLAWK_API_KEY = "clawk_..."; UGIG_API_KEY = "ugig_live_..."; RIDGELINE_API_KEY = "rdg_..."
Remove hardcoded API keys and require user-provided, least-privilege credentials through declared environment variables or configuration.
If a Moltbook credential exists on the machine, the skill can use that account credential during a reputation check without a clear metadata-level permission boundary.
The script reads a local Moltbook API key and uses it for authenticated requests, even though the registry metadata lists no required config paths or credentials.
p = Path.home() / ".config" / "moltbook" / "credentials.json" ... headers={"X-API-Key": key}Declare the credential and config path in metadata, ask the user before using local account credentials, and make clear exactly which account data is accessed.