Tractusx EDC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unreviewed command could change connector configuration, delete an asset, or start/suspend a data transfer.
The skill documents raw API calls that can delete assets and initiate transfer processes. These are purpose-aligned for EDC administration, but they are high-impact operations if run with the wrong IDs, payloads, or target connector.
curl -X DELETE "${EDC_CONTROL_PLANE_URL}/v3/assets/{id}" ... curl -X POST "${EDC_CONTROL_PLANE_URL}/v3/transferprocesses"Before running any POST, PUT, or DELETE command, confirm the target control-plane URL, asset or contract IDs, payload, and intended business impact.
Anyone or any agent action using this key may be able to read or modify EDC control-plane resources according to the key's privileges.
The skill uses an EDC API key to authenticate control-plane requests. This is expected for the stated integration and no artifact shows credential leakage, but the key may grant meaningful administrative authority.
- `EDC_CONTROL_PLANE_URL` - Base URL of the EDC control plane ... - `EDC_API_KEY` - API key for authentication
Use a least-privilege API key, store it as an environment variable rather than in prompts or files, and rotate it if it is exposed.
Users have less ability to verify the author or change history, though there is no included code to execute.
The registry metadata does not provide a source repository. Because the skill is instruction-only with no executable files, this is a provenance note rather than evidence of malicious behavior.
Source: unknown
Prefer installing from trusted sources and compare the documented commands with the official Tractus-X EDC API documentation before use.