Purefeed
PassAudited by ClawScan on May 4, 2026.
Overview
Purefeed appears purpose-aligned, but it uses a Purefeed API key and can create, modify, or delete Purefeed monitoring and bookmark data.
This looks reasonable for a Purefeed user. Before installing, make sure you trust purefeed.ai, use a revocable API key, and confirm any requests that create, update, auto-activate, or delete signals and bookmark folders.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change or remove Purefeed signals or bookmark organization if the user asks it to use those workflows.
The skill uses bash/curl to call API endpoints, including destructive account operations. This is disclosed and aligned with managing signals/folders, but users should explicitly approve mutations and deletions.
allowed-tools: ["bash"] ... | DELETE | /signals/:id | Delete signal (irreversible) |
Use the skill for read-only searches unless you intentionally want it to create, update, or delete signals or folders; confirm destructive operations before they run.
Anyone or any agent action using this key can access the Purefeed API permissions associated with that key.
The skill requires a bearer API key for the user's Purefeed account. This is expected for the service integration, with no evidence of credential logging or unrelated use.
**Auth:** `Authorization: Bearer $PUREFEED_API_KEY`
Use a dedicated, revocable Purefeed API key with the least permissions available, and rotate it if it is exposed.
A created signal may keep monitoring and processing matches until the user disables or deletes it.
Creating a signal can establish ongoing scheduled monitoring in Purefeed. This persistence is central to the stated monitoring purpose, but users should know it continues after setup.
`POST /signals` — create signal with name + description + tags + color + cron + timezone (auto-activates)
Review new signal settings, cron/timezone, and active status after creation, and disable or delete monitors you no longer want.