Build an Agent with Warden
PassAudited by ClawScan on May 1, 2026.
Overview
The provided skill looks like a legitimate Warden/LangGraph agent-building guide, with expected cautions around running helper scripts, installing dependencies, deploying services, and using API keys.
Before installing or using this skill, review the helper scripts, run them only in a project directory you control, pin and audit generated dependencies, and use revocable API keys stored outside source control. Treat deployed agents as live services: protect them with authentication, monitor usage, and shut them down when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the scripts can create files in the local workspace and send test requests to a user-provided endpoint.
The skill expects users or their agent to run bundled helper scripts for project creation and API testing. This is central to the skill's purpose, but it does execute local code and make network calls.
python scripts/init-agent.py my-agent --template typescript ... python scripts/test-agent.py https://your-agent.com --api-key [YOUR-API-KEY]
Run the scripts only in a dedicated project directory, review generated files before installing dependencies, and test only endpoints you trust.
Future installs could resolve to newer package versions than the author originally tested.
The scaffolded TypeScript project uses version ranges rather than exact pinned dependency versions; the Python template also uses minimum-version requirements.
"@langchain/langgraph": "^0.0.19", "@langchain/openai": "^0.0.19", "express": "^4.18.2"
Generate and commit lockfiles, pin dependency versions for production, and audit dependencies before deployment.
API keys can authorize paid or account-scoped services if exposed or misused.
The skill clearly discloses that generated or deployed agents will require service credentials. This is expected for LangGraph/Warden deployment, and the artifacts do not show hidden credential collection.
API Keys Required: - OpenAI API key ... - LangSmith API key ... - Additional keys based on your agent's functionality
Use least-privilege, revocable keys; store them in environment variables or deployment secrets; and avoid committing secrets to Git.
A deployed agent may keep running and consuming resources until the user intentionally stops or removes it.
The Docker Compose deployment example configures the agent service to restart automatically, which is normal for production deployment but creates a persistent running service.
restart: unless-stopped
Monitor deployed agents, restrict public access, rotate API keys when needed, and disable the service when it is no longer required.