AgentKey — Full internet access for your AI agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentKey is aligned with its web/MCP integration purpose, but it should be reviewed because it can run remote setup/update commands, store an API key in agent configs, and enable future auto-updates.
Install only if you trust AgentKey, `@agentkey/mcp`, and the `chainbase-labs/agentkey` update channel. Review or manually run the setup command, understand where the API key will be stored, avoid sending confidential data through the MCP tools, and do not enable auto-upgrade unless you are comfortable with future updates being installed automatically.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to run a remote installer/auth command and change local agent configuration when the user only asked for a web/data query.
A normal query can be routed into a shell-executed setup/auth flow that modifies MCP configuration, without a clearly stated confirmation step in the visible setup workflow.
If any are missing → Setup (regardless of what the user asked). ... Install / re-auth in one shot — run this in the user's shell: `! npx -y @agentkey/mcp --auth-login`
Require explicit user confirmation before running setup or re-auth commands, and prefer running the setup command manually after reviewing it.
If the referenced package, registry entry, or update channel is compromised or changed unexpectedly, the agent could execute altered code that affects local configuration or credentials.
Setup and upgrade pull executable packages/skill updates by name without pinned versions or checksums; combined with the unknown source/homepage and no install spec, provenance is not easy to verify.
`npx -y @agentkey/mcp --auth-login` ... `npx skills update chainbase-labs/agentkey`
Install only if you trust AgentKey and the referenced package/update source; avoid auto-updates unless you are comfortable receiving unreviewed future changes.
Processes or users that can read those config files may be able to obtain the AgentKey API key or use the configured MCP server.
The integration stores an AgentKey API key in local agent configuration so the MCP server can authenticate. This is expected for the service, but it is sensitive delegated access.
Writes the MCP server entry (with the key as an env var) into known config files: Claude Code → `~/.claude/settings.json` ... Cursor → `~/.cursor/mcp.json`
Use a revocable/least-privilege key if available, restrict file permissions, and revoke/remove the key when uninstalling or if the machine is shared.
After opting in, future uses of the skill can update AgentKey automatically instead of asking each time.
A persistent opt-in file changes future behavior so updates can run without another prompt. It is disclosed and includes an undo path, but it extends agent behavior across sessions.
`Always keep me up to date` → ... `touch .../agentkey/auto-upgrade` ... "future AgentKey updates install automatically"
Do not enable auto-upgrade unless you trust the update channel; remove `~/.config/agentkey/auto-upgrade` to disable it.
Search terms, URLs, scrape targets, and other parameters may be sent to AgentKey's service.
Queries, URLs, and tool parameters are routed through an external MCP provider. This is purpose-aligned, but users should understand the data boundary.
The skill is useless without the AgentKey MCP server registered ... `execute_tool` | Execute any tool by name + params. All calls go through this.
Avoid sending secrets, private URLs, or confidential business data unless you intend to share them with the provider and have reviewed its privacy/security terms.