Vorim AI — Agent Identity & Trust
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent Vorim identity and audit integration, with disclosed but sensitive API-key, external MCP-server, audit-logging, credential-delegation, and persistent identity behavior to review.
Install this only if you trust Vorim and the external `@vorim/mcp-server` package. Use a least-privilege API key, consider pinning/reviewing the MCP server, require explicit approval for credential delegation or permission elevation, and be aware that audit logging may create a persistent activity record.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these tools are invoked, credentials or access tokens could be delegated within the Vorim-managed agent environment.
The skill exposes credential delegation and token-request functions through the Vorim MCP server. This is expected for an agent identity/permissions product, but it is sensitive delegated authority.
`vorim_delegate_credential` | Delegate credentials to another agent | ... `vorim_request_token` | Request a short-lived access token |
Use a least-privilege Vorim API key and require explicit user approval for credential delegation, token requests, permission grants, elevation, and revocation operations.
The behavior of the runtime MCP server depends on the external npm package retrieved at install/run time.
Setup relies on an external npm MCP server invoked with npx, and the reviewed artifacts do not include or pin that package.
mcporter add vorim --command "npx @vorim/mcp-server" --env VORIM_API_KEY=agid_sk_live_...
Install only from the expected Vorim package source, consider pinning a trusted version, and review the MCP server package before granting sensitive credentials.
Vorim may receive a broad record of agent activity metadata, which could reveal sensitive workflows even if file contents are not shown in the artifact.
The skill instructs the agent to send action metadata to Vorim for audit logging after actions.
Log what you did by emitting an audit event using `vorim_emit_event`: ... `action`: what you did ... `result`: `success`, `denied`, or `error`
Avoid placing secrets or unnecessary private details in audit event text, and review Vorim’s retention and access controls before enabling broad logging.
The agent can be linked across sessions through a persistent Vorim agent ID and audit history.
The skill creates a persistent agent identity for future operations. This is disclosed and central to the trust/audit purpose.
Register once, reuse forever — save your agent_id after first registration
Keep track of registered agents and revoke unused identities when they are no longer needed.