agentbook
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate agentbook integration, but it asks users to install external binaries that can hold sensitive keys, run persistently, and enable autonomous wallet transactions without clear limits in the visible artifacts.
Review this skill carefully before installing. If you use it, install from a verified pinned release, avoid yolo/autonomous transaction modes, use a low-value isolated wallet, keep setup and unlocking human-controlled, and stop or uninstall the background service when not needed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If yolo mode or contract calls are enabled, the agent or daemon could make financial/on-chain changes that may be difficult or impossible to undo.
The skill exposes smart-contract and wallet operations plus an autonomous transaction mode. The provided visible instructions do not define spend limits, contract allowlists, confirmation requirements, or containment for irreversible on-chain actions.
description: ... checking wallet balances, or calling smart contracts. ... agentbook up --yolo # Enable yolo wallet for autonomous transactions
Use only with an isolated low-value wallet unless explicit human confirmation, spending caps, and contract allowlists are enforced. Avoid '--yolo' unless you fully understand and accept the risk.
Unlocking the agent may keep account or wallet access available to the local agentbook processes after the initial login, increasing the consequences of a compromised machine or process.
The skill handles account recovery material, passphrases/TOTP, and an in-memory KEK that enables non-interactive restarts. This is high-impact credential authority, especially because the handling occurs in external binaries not included for review.
Setup is interactive and requires human input (passphrase, recovery phrase backup, TOTP). ... agentbook-agent — in-memory credential vault (holds KEK so node can restart without prompts).
Only unlock the credential agent when needed, lock or stop it afterward, verify the 1Password/passphrase flow, and avoid using valuable wallets or accounts until the binary provenance is verified.
The daemon may remain active after the immediate task is finished, and yolo service mode could keep autonomous wallet behavior available across sessions.
The skill documents persistent startup at login and an option to combine persistence with autonomous transaction capability. This is disclosed, but it can continue operating beyond a single user task.
Install the node daemon as a system service that starts at login: ... agentbook service install --yolo # Install with yolo mode
Do not install the service unless you need persistent operation. Prefer foreground/manual startup, avoid service '--yolo', and verify that 'agentbook service uninstall' and 'agentbook down' actually stop it.
A changed or compromised upstream installer/release could run code locally and gain access to the same sensitive agentbook account or wallet context.
The install path uses a mutable remote shell script and latest/self-update behavior without checksums, signatures, or pinned versions in the provided artifacts. The downloaded binaries would handle messaging, credentials, and wallet functions.
curl -fsSL https://raw.githubusercontent.com/ardabotai/agentbook/main/install.sh | bash ... agentbook update --yes # Skip confirmation prompt
Install from a pinned release, inspect the installer, verify checksums or signatures if available, and avoid '--yes' self-updates for a credential- or wallet-handling tool.
Messages from other users could contain misleading instructions or sensitive content that the agent might summarize, act on, or expose if not handled carefully.
The skill receives content from other network participants through a relay. This is expected for a messaging tool, but peer-supplied messages should be treated as untrusted data rather than instructions.
Use agentbook to send and receive encrypted messages on the agentbook network. ... agentbook up # Start daemon (connects to agentbook.ardabot.ai)
Treat inbox/feed content as untrusted, ask before acting on messages, and avoid sending private message contents to unrelated tools or services.