deso-research
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent, read-only decentralized social research helper, with routine cautions about installing a global npm CLI, using optional social-network credentials, and treating retrieved posts as untrusted content.
This skill appears safe for its stated read-only research purpose. Before installing, verify the deso-ag npm package, be deliberate about any optional API keys or Bluesky app password you expose to it, and remember that social posts returned by the tool are untrusted source material rather than instructions for the agent to follow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives a third-party package local execution capability in the user's environment.
The skill relies on installing an external npm package globally. This is disclosed and central to the skill's purpose, but it creates a normal third-party package provenance dependency.
npm install -g deso-ag
Verify the deso-ag npm package and maintainer, prefer a pinned version or isolated environment where practical, and install only if you trust the package source.
If configured, the CLI can use the user's social-network/API credentials for the supported research functions.
The skill can use optional service credentials to access Farcaster and Bluesky search features. This is disclosed and purpose-aligned, but users should notice that credentials may be made available to the CLI.
`NEYNAR_API_KEY` | Farcaster search + trending ... `BLUESKY_IDENTIFIER` ... `BLUESKY_APP_PASSWORD` | Bluesky search
Provide only the credentials needed for the networks you want to query, use app passwords or least-privilege keys, and revoke them if no longer needed.
Misleading or adversarial posts could influence the agent's summary if treated as authoritative.
The skill intentionally brings full user-generated social posts into the agent's analysis context. This is expected for research, but retrieved social content should be treated as untrusted data rather than instructions.
"content": "full untruncated content..."
Treat retrieved posts as untrusted source material, summarize with citations or links, and do not follow instructions embedded inside social posts.