Evalpal

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Evalpal appears purpose-aligned, but it uses your EvalPal API key to start and read evaluation runs, so you should confirm the key scope and endpoint before installing.

This skill looks coherent for running EvalPal evaluations. Before installing, make sure you trust the EvalPal account connection, use a limited API key if available, keep the API URL set to the trusted HTTPS EvalPal endpoint, and be mindful that list/status/run results may appear in the chat where the command is used.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone installing the skill must provide an EvalPal API key that can read evaluation data and start evaluation runs according to that key's permissions.

Why it was flagged

The script uses the configured EvalPal API key as a bearer token for API requests. This is expected for the service integration, but it gives the skill delegated access to the user's EvalPal account.

Skill content

-H "Authorization: Bearer $EVALPAL_API_KEY" ... "${API_URL}${_path}"

Recommendation

Use a dedicated EvalPal API key with the minimum permissions needed, revoke it if no longer used, and keep the default or another trusted HTTPS API URL.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Invoking the run command will start a new EvalPal evaluation under the configured account.

Why it was flagged

The run command performs a state-changing POST request that creates a new evaluation run. This is the core advertised function, but it is still an external account action.

Skill content

RUN_RESPONSE=$(api_request POST "/api/v1/evals/${EVAL_ID}/run" "{}")

Recommendation

Run evaluations only when intended, and confirm the eval ID before invoking the command.

#ASI02: Tool Misuse and Exploitation

Info

What this means

Using the list command may display project and evaluation names wherever the agent response is visible.

Why it was flagged

When no project ID is supplied, the script lists projects and their evaluation definitions. This is disclosed in the documentation and fits the skill's purpose, but it can reveal project and evaluation names in the chat output.

Skill content

PROJECTS=$(api_get "/api/v1/projects") ... api_get "/api/v1/projects/${P_ID}/eval-definitions"

Recommendation

Use the project filter when appropriate, and avoid running the list command in channels where project names or evaluation names should not be shared.