v0.1.5

AgentBooks

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:07 AM.

Analysis

AgentBooks is transparent about its purpose, but it asks the agent to run an unbundled npm CLI that can affect financial records and crypto wallet/provider access, so it needs careful review before use.

GuidanceInstall only after reviewing and pinning the AgentBooks npm package. Start in a sandbox with a dedicated AGENTBOOKS_DATA_PATH, use testnet or throwaway wallets first, and require manual approval for wallet connections, provider authentication, and any financial record changes.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

This installs a third-party npm package (`agentbooks`) not bundled with this skill ... npx agentbooks guard ... downloads on each invocation

The actual executable behavior comes from a public npm package outside the reviewed artifacts, and npx may fetch it again at runtime.

User impactA changed, compromised, or unofficial package could control the financial-management behavior the agent runs.

RecommendationAudit the npm package and repository, pin a specific trusted version, and test in a sandbox before connecting real financial accounts.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

allowed-tools: Bash(agentbooks:*) ... Record costs proactively ... agentbooks wallet-init ... agentbooks wallet-connect --provider coinbase-cdp

The wildcard Bash permission lets the agent invoke the AgentBooks CLI broadly, including commands that write financial records or initialize/connect wallet providers.

User impactThe agent could make persistent ledger changes or start wallet/provider setup through the CLI without a clearly enforced per-action approval boundary in the artifacts.

RecommendationLimit allowed commands where possible and require explicit user approval before any wallet connection, provider setup, or financial ledger mutation.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

Read the `tier` and `prescriptions` fields and act accordingly ... optimize_costs → answer directly, skip extended reasoning

The skill intentionally lets a financial-health report change how the agent prioritizes work and response effort.

User impactThe agent may reduce effort, prioritize higher-value tasks, or ask for funding based on its financial status.

RecommendationMake sure this behavior is desired, and override it when the user's task priority should take precedence.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

After completing any medium or complex task, proactively offer to record its value

The skill prompts the agent to ask users to confirm economic value or income after work is completed.

User impactUsers may experience the agent as seeking payment or income confirmation during normal work.

RecommendationOnly record income after explicit confirmation, and treat these prompts as optional bookkeeping rather than a payment demand.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

manage multi-provider crypto wallets ... Do not connect real wallets or supply private keys until you have reviewed the provider authentication flow

The skill explicitly contemplates real wallet/private-key or provider-authentication flows, but delegates that sensitive handling to the external CLI.

User impactConnecting a production wallet or provider could give the external CLI access to sensitive financial authority.

RecommendationUse testnets or throwaway wallets first, avoid private keys where possible, use least-privilege provider accounts, and manually review every authentication step.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Set `AGENTBOOKS_DATA_PATH` to a dedicated directory ... to limit the blast radius if the CLI behaves unexpectedly

The skill stores or reads persistent financial state through a local data path, and the artifact itself warns that isolation matters.

User impactFinancial history and agent economic state may persist across sessions and could be mixed with other data if not isolated.

RecommendationSet a dedicated data directory with appropriate permissions and review what is stored there.