CatchClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
CatchClaw’s stated purpose is coherent, but the package includes an under-disclosed remote installer and an obfuscated subprocess import that deserve review before installing.
Review the bundled CLI before installing. Use the documented bundled CLI directly rather than running install.sh, install marketplace agentars only from trusted sources, prefer creating a new agent over overwriting the main workspace, and avoid sharing exports that include memory or credentials.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this script is run, code from a remote or environment-selected source could execute on the user’s machine.
The package includes a script that downloads a remote archive, allows the URL to be overridden by an environment variable, extracts it, and runs its installer without a checksum or signature. This is under-disclosed because the registry says there is no install spec and SKILL.md says no download is needed.
KIT_URL="${AGENTAR_KIT_URL:-https://github.com/OpenAgentar/catchclaw/releases/download/v1.0.0/agentar-cli-v3.3.2.tar.gz}" ... curl -fsSL "$KIT_URL" ... bash "$INSTALLER" "$@"Do not run install.sh unless you have verified the download source and integrity. Prefer the bundled CLI path documented in SKILL.md.
The CLI can launch local commands, and the way this capability is imported makes it harder for users or scanners to review.
The CLI obtains Node's child_process module through computed module-name logic rather than a direct import. Subprocess use can be legitimate here, but this obfuscated resolution is unnecessary and makes command-execution capability less transparent.
const _cp = builtinModules.find(m => m.length === 13 && m[5] === '_' && m.startsWith('c')); const { spawnSync } = _require(`node:${_cp}`);Review the full CLI source before use and prefer a transparent direct import of node:child_process with clearly bounded command invocations.
A marketplace agentar can replace important agent instructions, skills, or configuration.
Installing or overwriting an agent workspace can change future agent behavior across tasks. The behavior is central to the skill and is disclosed, but it is still high-impact.
An agentar is a distributable agent archive (ZIP) containing workspace files such as SOUL.md, skills, and other configuration. It can be installed as a new agent or used to overwrite an existing agent with a single command.
Install only agentars you trust, prefer creating a new agent first, and use overwrite only after explicit review.
A saved API key may grant an installed agentar access to a backend service.
The skill can store a user-provided API key in a credentials file for installed agentars. This is disclosed and optional, but it is sensitive authority.
`--api-key <key>` — (Optional) API key to save into `skills/.credentials` for agentars that require backend authentication.
Only provide an API key for trusted agentars, use the least-privileged key possible, and know where the key is stored.
Exported agent archives could include private memory if the user chooses that option.
The export command can include persistent agent memory if the user passes --include-memory. The default excludes it, but the option can package sensitive context.
`$CLI export [--agent <id>] [-o <path>] [--include-memory]` ... `MEMORY.md is excluded by default`
Leave memory excluded unless you intentionally want to share it, and inspect exported archives before distributing them.