R4
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly for R4 secrets and domains, but it gives the agent broad autonomous access to credentials and domain-changing actions with limited scoping or confirmation.
Use this only if you intentionally want to delegate password-manager and domain-registrar access to the agent. Before installing, restrict the R4 vault and domain permissions to the minimum needed, verify the r4 CLI/API key provenance, require confirmation for purchases or DNS changes, and avoid running untrusted commands with all secrets injected.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may retrieve or use passwords, API keys, database credentials, or SSH keys for third-party systems without a separate user prompt for each secret.
This grants the agent delegated access to sensitive credential types and encourages autonomous use, but the artifacts do not bound which items, accounts, or operations are permitted.
Whenever you need a login, API key, database credential, SSH key, or any other secret — look it up in R4 first. ... Your owner has shared vault items with you so you can operate autonomously.
Install only with a narrowly scoped R4 project/vault, restrict shared items to the minimum needed, and require explicit approval before using high-value credentials.
A mistaken or untrusted command could receive every vault secret, and the agent could make paid or disruptive registrar/DNS changes.
The skill exposes broad command execution with all secrets injected and raw API calls for domain purchase/DNS management, without clearly requiring user confirmation or limiting commands/domains.
r4 run -- <command> ... Executes a command with all vault secrets injected as environment variables. ... curl -X POST "https://r4.dev/api/v1/machine/domain-manager/purchase"
Avoid using `r4 run` with unreviewed commands, prefer injecting only named secrets, and require explicit user approval for domain purchases and DNS mutations.
Secrets could be exposed in transcripts, logs, or model context if the agent lists or retrieves them instead of piping them safely.
Vault commands can return raw secret values or broad key-value listings; in an agent workflow, that output may enter tool logs, chat context, or later reasoning unless carefully redacted.
r4 vault list ... Lists all project environment variables as a key-value table. ... r4 vault get <KEY> ... Outputs raw value — perfect for piping
Use targeted secret retrieval, suppress or redact tool output, avoid listing all secret values, and do not persist retrieved secrets in notes or memory.
A user may underestimate the local setup and account authority the skill expects.
The registry contract does not declare the r4 CLI, R4_API_KEY, or primary credential requirements that SKILL.md says are preconfigured, so users may not see the dependency and privilege assumptions before install.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Declare the required CLI, credential source, API key usage, and trust/provenance expectations in metadata.