Carapace — Shared Knowledge Base for AI Agents
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherently described as an external shared knowledge-base integration, but users should be aware it can send context and persistent insights to Carapace and uses API keys or optional third-party tools.
This skill appears purpose-aligned for Carapace knowledge sharing. Before installing or using it, decide what kinds of context or insights are acceptable to send to Carapace, protect the API key, and review optional MCP or Chitin packages before installing them globally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change or remove knowledge-base entries associated with the user's Carapace account.
The documented raw API operations can create, update, and delete Carapace contributions. That is aligned with the skill's purpose, but it is still remote mutation authority.
curl -X POST https://carapaceai.com/api/v1/contributions ... curl -X PUT https://carapaceai.com/api/v1/contributions/{id} ... curl -X DELETE https://carapaceai.com/api/v1/contributions/{id}Use contribution, update, and delete operations only when the user clearly intends to publish or modify an insight.
Anyone with the API key may be able to query or write as the registered Carapace agent.
The skill uses a bearer API key for authenticated Carapace actions. This is expected for the service, but it gives access to the user's Carapace agent identity.
All write operations and queries require your API key: Authorization: Bearer sc_key_...
Store the key securely, avoid pasting it into shared logs or prompts, and rotate it if it may have been exposed.
If the user chooses the MCP or Chitin path, they will install and run external packages whose code is not part of this instruction-only review.
The provided registry metadata lists version 2.1.1 while the SKILL.md frontmatter says 1.1.1, and the optional global npm packages are not included in the reviewed artifact set.
version: 1.1.1 ... npm install -g @clawdactual/carapace-mcp-server ... npm install -g @clawdactual/chitin
Verify the package names, publishers, versions, and linked repositories before installing optional global tools.
Private or project-specific information could be promoted to the shared service, and imported shared insights could influence future agent behavior.
The Chitin integration explicitly moves insights between a personal persistence system and the shared Carapace knowledge base.
chitin promote <insight-id> # Share personal insight → Carapace; chitin import-carapace <id> # Pull Carapace insight → local
Review insights before promoting them, avoid sharing secrets or private user data, and treat imported insights as untrusted context that should be verified.