Web Service Onboarding
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill gives an agent broad authority to create web-service accounts, use email verification, generate API keys, and persist authentication material without clear scope or approval boundaries.
Only install this if you are comfortable giving the agent tightly supervised authority to create external accounts and handle credentials. Use a dedicated email account and vault, confirm each service and API-key action, and avoid leaving WebAuthn credential exports in temporary files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create accounts, generate secrets, and change environment configuration for services the user did not intend to authorize in that exact way.
This grants the agent broad mutation authority across arbitrary third-party services and local project configuration, without visible scoping or approval checkpoints.
Use when asked to create an account on any external service... Generate API keys → Store securely in 1Password → Wire .env
Require explicit user approval for the exact service, email account, vault item, API key creation, and .env path before taking each high-impact action.
A mailbox used for verification could expose more than just signup links if the agent is not limited to a dedicated account or specific messages.
The workflow involves mailbox credentials and account-verification access, while the registry metadata declares no primary credential, required env vars, or credential boundary.
Email Fetching via Proton Bridge IMAP ... function fetchLatestTurnkeyLink(host='127.0.0.1', port=1143, user, pass)
Use a dedicated verification mailbox, declare the required email and vault access, and restrict reads to the expected sender/service and user-approved signup flow.
Saved passkey material could allow future authenticated access to the created service account outside the original signup task.
The skill documents persistence of WebAuthn/passkey material across browser sessions in a local temporary file, with no visible cleanup, encryption, or user-consent boundary for reuse.
The only way to reuse it is to export the credential before closing, then re-import on next run ... fs.writeFileSync('/tmp/webauthn-creds.json', JSON.stringify(creds));Store any reusable authenticator material only in an approved secure vault, clean temporary files, and require explicit user consent before reusing saved authentication state.