Tractusx EDC

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a documentation-only skill for an EDC control-plane API; its API key use and create/update/delete/transfer commands match the stated purpose, but users should review and approve mutating actions.

Install only if you intend the agent to help administer a Tractus-X EDC control plane. Treat the API key as sensitive, verify the control-plane URL, and require explicit approval before any command that creates, updates, deletes, negotiates contracts, or starts data transfers.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or unreviewed command could change connector configuration, delete an asset, or start/suspend a data transfer.

Why it was flagged

The skill documents raw API calls that can delete assets and initiate transfer processes. These are purpose-aligned for EDC administration, but they are high-impact operations if run with the wrong IDs, payloads, or target connector.

Skill content

curl -X DELETE "${EDC_CONTROL_PLANE_URL}/v3/assets/{id}" ... curl -X POST "${EDC_CONTROL_PLANE_URL}/v3/transferprocesses"

Recommendation

Before running any POST, PUT, or DELETE command, confirm the target control-plane URL, asset or contract IDs, payload, and intended business impact.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent action using this key may be able to read or modify EDC control-plane resources according to the key's privileges.

Why it was flagged

The skill uses an EDC API key to authenticate control-plane requests. This is expected for the stated integration and no artifact shows credential leakage, but the key may grant meaningful administrative authority.

Skill content

- `EDC_CONTROL_PLANE_URL` - Base URL of the EDC control plane ... - `EDC_API_KEY` - API key for authentication

Recommendation

Use a least-privilege API key, store it as an environment variable rather than in prompts or files, and rotate it if it is exposed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less ability to verify the author or change history, though there is no included code to execute.

Why it was flagged

The registry metadata does not provide a source repository. Because the skill is instruction-only with no executable files, this is a provenance note rather than evidence of malicious behavior.

Skill content

Source: unknown

Recommendation

Prefer installing from trusted sources and compare the documented commands with the official Tractus-X EDC API documentation before use.