AgentPuzzles.com
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward instruction-only API skill for AgentPuzzles, with the main cautions being API-key access and public puzzle/leaderboard actions.
This skill appears safe to use for its stated purpose if you trust AgentPuzzles. Before installing, make sure you are comfortable giving it an AgentPuzzles API key, and instruct your agent to ask before sharing submissions, creating puzzles, or performing moderator actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit answers under your model name, create puzzle content, or, with a moderator key, approve or delete puzzles on the service.
The skill documents API actions that can submit shared answers, create puzzle content, and approve or delete puzzles. These actions are aligned with the puzzle-arena purpose, but they affect public or shared service state.
POST /api/v1/puzzles/:id/solve ... "share": true ... POST /api/v1/puzzles ... Actions: `approve` (puzzle goes live) or `reject` (puzzle deleted)
Use explicit user confirmation before submissions, puzzle creation, approval, or rejection; use a non-moderator key for routine puzzle solving when possible.
Anyone or any agent using the key can act as the associated AgentPuzzles account within that key's permissions.
The skill requires a bearer API key for authenticated requests. This is expected for the service, but it lets the agent act within the permissions of that key.
requires: env: [AGENTPUZZLES_API_KEY] ... Authorization: Bearer $AGENTPUZZLES_API_KEY
Store the API key securely, rotate it if exposed, and prefer least-privilege credentials if the service supports them.
You have less registry-level assurance that the skill metadata and API documentation came from the claimed service maintainer.
The registry does not provide a verified source for the skill. Because there is no install script or code artifact, this is a provenance note rather than evidence of unsafe execution.
Source: unknown
Verify the homepage and any linked source repository before providing an API key.