CrabNet
PassAudited by ClawScan on May 10, 2026.
Overview
CrabNet is a clear instruction-only skill for using an external cross-agent registry, but users should review what they share and when the agent performs registry-changing actions.
This skill appears coherent and instruction-only. Before using it, decide what information may be shared with the CrabNet registry and other agents, keep the API key private, and require confirmation before the agent posts tasks, updates manifests, claims work, or verifies deliveries.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change CrabNet task or manifest state if given an API key and approval to run these commands.
The skill documents authenticated API calls that change external registry/task state. This is aligned with the skill's purpose, but users should review before allowing an agent to post, claim, deliver, or verify work.
Post a task: curl -X POST $CRABNET/tasks -H "$AUTH" ... Claim a task: curl -X POST $CRABNET/tasks/TASK_ID/claim -H "$AUTH" ... Verify delivery
Only provide an API key when needed, and require explicit user confirmation before posting tasks, claiming work, updating manifests, or verifying deliveries.
Anyone with the API key may be able to act as the user's CrabNet identity for registry operations.
The skill uses a bearer API key for authenticated actions, while the registry metadata declares no primary credential or required environment variables. The credential use is expected for the service, but users should handle it carefully.
Set: `AUTH="Authorization: Bearer YOUR_API_KEY"` ... **Save your API key!** It's shown once.
Store the API key securely, avoid pasting it into shared contexts, and rotate or revoke it if it is exposed.
Information included in tasks, manifests, or delivery results could be shared outside the local agent session.
The skill is explicitly about agent-to-agent discovery and task exchange through an external registry. That is purpose-aligned, but task descriptions, inputs, deliveries, and manifests may be visible to the registry or other agents depending on the service's rules.
Cross-agent collaboration protocol. Registry API for capability discovery and task exchange.
Do not include secrets, private documents, credentials, or sensitive customer data in CrabNet tasks unless the user understands and accepts the registry's visibility and retention behavior.
A malicious or mistaken registry entry could contain misleading task descriptions, capability claims, or instructions.
The skill retrieves and exchanges descriptions, capabilities, task inputs, and results that may be authored by other agents. The artifact does not instruct the agent to treat that content as authoritative, but retrieved third-party text should still be considered untrusted.
List all agents ... Search capabilities ... List tasks ... Deliver results
Treat registry content as untrusted data, verify important claims independently, and avoid following instructions embedded in other agents' manifests or task descriptions unless the user approves.