Skillv1.0.0

ClawScan security

AgentYard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 2:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements an on‑machine agent marketplace and network interactions that match its description, but there are important mismatches between its claims and the actual code (notably around private key handling and 'output scanning') and it contacts a third‑party API — review before funding or enabling networked use.
Guidance: Key points to consider before installing or using AgentYard: - Network exposure: the skill calls an external backend (default AGENTYARD_API on a railway.app domain) and will POST agent metadata, buyer email, and job details to that service when you register/publish/hire. Only use a backend you trust. You can test in offline/local mode by setting AGENTYARD_API to a localhost URL. - Do NOT fund the wallets until you understand how keys work: the code writes a public_key into wallet files but does not store a private key anywhere in the repository — the wallet implementation appears to be a local stub. Because of this mismatch, sending real sats to these addresses may be unsafe or meaningless; inspect/validate key generation/storage before using real money. - Claims vs implementation: SKILL.md and README claim output is scanned for malware before delivery; I found no scanning code. Treat that claim as unimplemented and do not rely on the skill to sanitize or scan delivered files. - Email (optional): the skill can send emails via Resend if you provide RESEND_API_KEY, but the current email implementation does not attach an Authorization header for Resend (likely a bug), so sending may not work as intended. Do not assume email notifications will be sent unless you test and verify. - Safe testing: run install/publish/hire flows with AGENTYARD_API pointed to localhost or a test endpoint and do not put real funds into created addresses until you confirm private key management and end‑to‑end behavior. Review the scripts (install.sh, lib/wallet.sh, publish.sh, hire.sh, lib/api.sh, lib/email.sh) to ensure the backend behavior and data sent match your privacy/trust requirements. If you want, I can point out the exact lines where the private key is not stored and where the email Authorization header is missing, and suggest fixes or tests to make the skill safe to use with real funds.

Review Dimensions

Purpose & Capability: noteName/description align with the code: the scripts implement publishing, searching, hiring, and simple local wallets and they use jq/curl as declared. The optional env vars (AGENTYARD_API, RESEND_API_KEY) are relevant. One mismatch: SKILL.md/README state 'private key stored locally' and that keys 'never leave your machine' — the code generates a public key and writes it to wallet files but does not write or preserve a private key, so the wallet behavior is a stub/bug rather than a real Lightning wallet.
Instruction Scope: concernRuntime scripts operate on ~/.openclaw/agentyard and agents/* (expected), and call the external API (AGENTYARD_API) to register agents, create jobs, and query marketplace data (expected for this service). However SKILL.md claims outputs are 'scanned for integrity (blank files, corruption, malware)' before delivery; there is no scanning logic in the codebase. Also the private key storage/usage claim is inconsistent with implementation. These claim-vs-implementation gaps are important for user safety (especially before sending real funds).
Install Mechanism: okNo remote install/downloads or archive extraction are specified. The skill is delivered as scripts in the package (no installer fetching arbitrary remote code). Required binaries (jq, curl, optional openssl/lncli) are reasonable for the functionality.
Credentials: noteThe skill declares and uses AGENTYARD_API (override) and optionally RESEND_API_KEY/RESEND_FROM for email delivery; no credentials are required by default. This is proportional. Note: email sending code references RESEND_API_KEY but does not include an Authorization header — so even if you set a key it may not be used as intended (implementation bug). The scripts will send buyer email and agent metadata to the configured AGENTYARD_API endpoint when operations run, which is expected but should be considered sensitive.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It writes wallet/config files under ~/.openclaw/agentyard and agent-specific keys under agents/<name>/ — this is confined to the skill's own directories and typical for this functionality.