Agent Passport
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
This skill appears purpose-aligned, but treat mandates like permissions: approve the narrowest scope that works, avoid broad templates such as full-auto unless necessary, protect the local ledger directory, and remember that read-only file access is not gated by this skill. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may pause or refuse actions until a mandate exists.
The skill deliberately adds a mandatory tool-check and stop/ask workflow before sensitive side-effect actions. This is central to its purpose and protective, but it does alter the agent's normal decision flow.
Before performing ANY of these actions, you MUST call `check-action` first
Install only if you want this consent-check workflow, and review the mandate prompts before approving them.
A broad mandate could let the agent run many commands without asking again until the mandate expires or is revoked.
The skill includes user-selectable templates that can authorize broad system activity for a period of time. This is disclosed and time-limited, but it is high-impact if approved casually.
`full-auto` - `system`, allowlist `all`, rate 200/hour, TTL 1d
Prefer narrow templates and path/domain/command allowlists; avoid `full-auto` unless you fully trust the agent and task.
If Pro updates are enabled, the skill may contact the provider and update local security definitions in the background.
Remote threat-definition updates are disclosed and fit the scanner purpose, but they can change scanner behavior without per-update review.
Pro tier ($19/mo): Definitions auto-update every 6 hours silently in the background.
Use the offline/free mode if you do not want background updates, and only enable Pro updates from a provider you trust.
The local ledger may contain sensitive action descriptions, recipients, spending amounts, or agent identity details.
Mandates, agent identity metadata, and action audit history are persisted locally and can influence future authorization checks.
LEDGER_FILE="$LEDGER_DIR/mandates.json"; KYA_FILE="$LEDGER_DIR/agents.json"; AUDIT_FILE="$LEDGER_DIR/audit.json"
Store the ledger in a protected directory, review audit contents periodically, and delete or archive it carefully if it contains sensitive records.
The skill is mainly a side-effect gate; it does not by itself prevent the agent from reading sensitive local files or web content.
The marketing language is broad, while the operational rules explicitly exclude read-only actions. The limitation is disclosed, but users should not assume it protects all sensitive reads.
Consent-gating for ALL sensitive agent actions... You do NOT need to check: reading files, web searches, internal reasoning
Use separate file-access controls or narrower agent permissions for confidential data, especially if read access is sensitive.