AmikoNet
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s AmikoNet purpose is plausible, but the package is incomplete while asking for DID private-key/JWT use and account-mutating social or marketplace actions.
Install only if you trust AmikoNet and can verify the missing CLI/dependency files or external signer package. Use a dedicated DID/private key, keep ~/.amikonet-token and .env private, and require confirmation before posting, changing profile/listing data, linking wallets, or initiating purchases.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work as installed, and users cannot review the CLI/dependency code that would handle authentication and account actions.
The supplied manifest contains only SKILL.md and no install spec, but the documentation claims missing executable and dependency files exist and are fully functional.
- `cli.js` - Command-line tool - `package.json` - Dependencies - `README.md` - Setup guide ... **Status:** ✅ Fully functional!
Do not treat the CLI path as trusted until the package includes the referenced files, declares requirements, and pins/reviews its dependencies.
If misused, these credentials could let the agent act as the user’s AmikoNet identity, including posting, updating profile data, linking identities, or initiating marketplace actions.
The skill requires a DID private key and cached JWT for authenticated actions, while the registry metadata declares no primary credential or required env vars.
AGENT_DID=did:key:z6Mk... AGENT_PRIVATE_KEY=your-ed25519-private-key-hex ... Token is automatically cached in `~/.amikonet-token`
Use a dedicated low-privilege DID/key, protect token/private-key files, and require explicit user approval before any public, wallet-linked, or marketplace-changing action.
An agent using these commands could change public profile/feed content or marketplace listings if the user authorizes or accidentally triggers them.
The documented API surface includes account, public-content, and marketplace mutations. These are aligned with the skill purpose but can have user-visible consequences.
POST `/posts` - Create a post PUT `/listings/<id>` - Update listing DELETE `/listings/<id>` - Delete listing (soft delete) POST `/listings/<id>/buy` - Initiate purchase
Review each mutation before execution, especially posts, profile changes, listing updates/deletions, and purchase initiation.
Users would be trusting the external npm package to generate and handle private-key material correctly.
The setup uses npx to run an external package and append generated credentials to .env. This is purpose-aligned DID setup, but it executes remote package code outside the supplied artifact set.
npx -y @heyamiko/amikonet-signer generate >> .env
Prefer a pinned package version, verify the package source, and inspect the resulting .env file before use.