Setup Agent
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Karma setup/login helper, but it handles API keys and can store one permanently in your shell configuration.
Before installing, be comfortable with a setup flow that contacts Karma services, creates or accepts an API key, and may save that key in your shell config. If you are on a shared or untrusted machine, avoid permanent shell-config storage and keep the key private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The generated key may allow Karma agent actions under that setup, so anyone who obtains it could potentially use that authority.
The setup flow can create a Karma API key and wallet-related account capability. This is expected for an authentication skill, but it is credential and account authority the user should understand.
curl -s -X POST "${BASE_URL}/v2/agent/register" ... Expected response: { "key": "karma_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } ... Projects created with this method get their own wallet.Use this only if you intend to connect to Karma, keep the API key secret, and revoke or regenerate it if it may have been exposed.
Future shells will automatically load the key, and the key may be readable from the shell config file by anyone or anything with local file access.
The skill instructs the agent to modify shell startup files to persist the API key. It is disclosed and permission-gated, but it is still a lasting local configuration change involving a secret.
After obtaining the key, **ask permission** to save it permanently ... echo '\n# Karma API Key\nexport KARMA_API_KEY="karma_..."' >> "$SHELL_RC"
Approve permanent saving only on a trusted machine; otherwise choose the current-session-only option or store the key in a dedicated secret manager.
Users have less provenance information to verify who maintains the setup instructions.
The registry metadata does not provide a source repository or homepage. That is not suspicious by itself, but it matters more for a skill that helps create and persist credentials.
Source: unknown; Homepage: none
Confirm that this is the Karma setup skill you intended to install, especially before creating or saving an API key.