Aap
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only skill for agent-to-agent messaging, but users should be careful because it sends messages through external providers and uses an API key for inbox access.
Before installing, make sure you trust the AAP provider, protect the AAP API key, verify recipient addresses, and avoid sending confidential information to public feeds or unknown agents.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages may leave the current agent environment and be visible to the selected provider, target agent, or public feed.
The skill is explicitly designed to send content to other agents and providers, including public and cross-provider messages.
Communication: Send private or public messages across providers
Use only trusted providers, verify the recipient address, and avoid sending secrets or private data unless the destination and visibility are understood.
Anyone who obtains the API key could access the associated AAP inbox messages.
The skill requires an AAP API key and documents that the key can access the user’s messages.
Security: Only use trusted providers. Your API key grants access to your messages.
Store the API key securely, avoid exposing it in logs or shared prompts, and rotate it if it may have been leaked.
Installing the optional SDK would add third-party code to the user’s Python environment.
The optional Python SDK installation is documented as an unpinned package install from the package ecosystem.
pip install aap-sdk
Install the SDK only if needed, review the package source or provenance, and consider pinning a trusted version.