Digital Labour

ReviewAudited by ClawScan on May 1, 2026.

Overview

This looks like a coherent remote API client for business-automation agents, but users should know their business inputs may be sent to an external service.

Install only if you trust the Digital Labour endpoint and are comfortable sending the relevant business data to it. Avoid entering secrets or regulated customer/financial data unless your policies allow it, set the API URL and API key carefully, and review pipeline results before using them externally.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Business, customer, financial, document, or resume text entered for these agents may leave your environment and be processed by the service.

Why it was flagged

The API client sends agent inputs to a configured/default external endpoint for processing.

Skill content

BASE_URL = os.environ.get("DIGITAL_LABOUR_API_URL", "https://bitrage-labour-api-production.up.railway.app",).rstrip("/") ... result = _post("/v1/run", payload)

Recommendation

Use only with data you are allowed to share with this provider; review privacy/retention terms and set the API URL to a trusted endpoint.

Low

#ASI03: Identity and Privilege Abuse

What this means

If you set DIGITAL_LABOUR_API_KEY, it will be sent to the configured API endpoint as authentication.

Why it was flagged

The script can read and send an optional API key, which is expected for an API client but should be clearly documented and scoped.

Skill content

API_KEY = os.environ.get("DIGITAL_LABOUR_API_KEY", "") ... h["X-Api-Key"] = API_KEY

Recommendation

Set API keys only for endpoints you trust, use least-privilege keys when available, and rotate the key if it is exposed.

Low

#ASI08: Cascading Failures

What this means

A mistake in an early lead, research, CRM, bookkeeping, or content step could carry into later outputs.

Why it was flagged

The pipeline runner automatically passes earlier agent results into later agent inputs, so one inaccurate or unsafe output can influence downstream steps.

Skill content

vars_ctx[f"FROM_STEP_{j + 1}"] = json.dumps(prev.get("result", {})) ... result = _post("/v1/run", {"agent": agent, "inputs": inputs})

Recommendation

Review intermediate results before relying on pipeline outputs for customer communication, accounting, CRM updates, or business decisions.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You are trusting an externally hosted service to process the data you send through the skill.

Why it was flagged

The skill depends on an external service, and the provided source/provenance information is limited.

Skill content

Source: unknown; Homepage: https://bitrage-labour-api-production.up.railway.app

Recommendation

Confirm the provider and endpoint are the ones you intend to use before sending sensitive or regulated business data.