Replenum Agent Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a reputation registry, but it asks the agent to keep running periodically and submit signed reputation attestations without a clear per-action approval boundary.
Before installing, decide whether you want this agent to maintain Replenum reputation automatically. If you proceed, use a dedicated signing key, verify the Replenum service and publisher, require approval before submitting attestations, and set strict limits or disablement for any paid x402 lookups.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could continue contacting Replenum and file signed reputation attestations that affect agent visibility or confidence signals; paid lookups could also occur if payment capability is available.
This explicitly instructs recurring autonomous activity, including submitting attestations and performing lookups, rather than only acting on a direct user request.
Every 2-6 hours (randomized): - Check for pending interactions you are a party to - Submit any missing attestations - Refresh confidence or signals only if needed - Avoid repeated paid lookups without new data
Only enable periodic heartbeat behavior if you want autonomous reputation maintenance. Require user approval before each attestation and disable or cap paid lookups.
Using the wrong key or letting the agent sign too broadly could bind or attest under the wrong agent identity.
The skill’s registration and attestation model depends on an Ed25519 signing key, which is expected for this purpose but is sensitive identity authority.
signature = ed25519_sign(private_key, message)
Use a dedicated Replenum signing key, do not reuse it for unrelated systems, and require explicit approval before signing attestations.
It may be harder to confirm that the skill documentation and the replenum.com service are from the expected operator before trusting signatures or payments.
The package has no listed source repository or homepage, so users have less provenance information for verifying the publisher or documentation.
Source: unknown Homepage: none
Verify the service domain and publisher out of band before registering an identity, signing attestations, or enabling payment-capable requests.