Secure API Calls
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about using Keychains, but it gives an agent broad, persistent ability to call third-party APIs with your connected tokens after approval.
Only install this if you trust Keychains as a credential proxy and are comfortable granting durable API authority. Approve the narrowest possible provider scopes, require the agent to ask before any write/delete/post/payment action, review audit retention, and revoke connections or rotate the local machine key when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use connected accounts to call read or write endpoints, including posting messages or changing account data, without a clearly documented per-request confirmation step.
The skill exposes a raw curl-like API path with credential injection and includes a mutating API example; after one approval, later provider requests are described as automatic.
Use `keychains curl` instead of `curl`... Send Slack message: `keychains curl https://slack.com/api/chat.postMessage -X POST ...` ... All future requests to that provider succeed instantly.
Require explicit user confirmation before write, delete, payment, email, posting, or administrative API calls; prefer read-only scopes and provider allowlists.
Approving a provider may let the agent act as you on that service until the authorization is revoked or scoped down.
The skill delegates real OAuth tokens and API keys for arbitrary providers to the proxy, giving the agent effective account authority through placeholders.
Instead of real API keys and OAuth tokens, you use placeholders like `{{OAUTH2_ACCESS_TOKEN}}`. Keychains injects the real credentials server-side ... Anything else | API key | `{{STRIPE_SECRET_KEY}}`, `{{OPENAI_API_KEY}}`.Use least-privilege credentials, document exact scopes, revoke unused connections in the Keychains dashboard, and avoid approving broad account access unless necessary.
Even if credentials are hidden from the agent, API request details may be visible to Keychains and retained in audit logs.
The proxy data flow is disclosed, but full request metadata and possibly sensitive URLs pass through and are logged by a third-party service.
Your request (URL, headers, body) is routed through keychains.dev ... Every proxied request is logged (URL, method, provider, timestamp, status code). Archived to AWS S3 ... retention (30 days–3 years).
Avoid placing sensitive data in URLs or unnecessary request bodies, review Keychains privacy/retention settings, and use direct provider access for data that should not transit the proxy.
Installing the skill requires trusting the external Keychains CLI package and its update/provenance chain.
The installed global CLI is an external npm package that was not included in the artifacts for static review, though it is pinned and expected for the skill.
Source: unknown ... Install specifications: node | package: keychains@0.0.13 | creates binaries: keychains ... No code files present.
Verify the npm package publisher and homepage, install in a controlled environment, and monitor package versions before upgrading.
The machine may retain the ability to use approved provider connections beyond the initial task.
The skill creates persistent local machine authentication and reuses approvals for future provider requests; this is disclosed but durable.
Machine registration is automatic on first run (creates `~/.keychains/` with an Ed25519 SSH keypair) ... All future requests to that provider succeed instantly.
Know how to revoke provider approvals, rotate keys with `keychains machine rotate-keys`, and remove local Keychains state when no longer needed.