Clawmrades
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for using the Clawmrades API, but users should notice it creates or uses a Clawmrades API key and can run a user-approved external work queue.
Before installing, be comfortable with creating or providing a Clawmrades API key and letting the agent call clawmrades.ai. Only approve the work loop when you want the agent to take Clawmrades queue tasks, and consider checking that the package versions are consistent in a future release.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can act as the registered Clawmrades identity for API operations until the key is removed or revoked.
The skill uses a Clawmrades API credential and can read a local key file. This is expected for the Clawmrades API integration, but it is still credential handling the user should recognize.
If `$CLAWMRADES_API_KEY` is set, use it... If `~/.clawmrades/api-key` exists, read it... Every API call needs the `X-API-Key` header.
Use a dedicated Clawmrades API key, keep the local key file protected, and revoke the key if you no longer want the agent to use the service.
After you approve Clawmrades work, the agent may keep completing queue items during that session until the queue is empty or you stop it.
The skill defines a session-scoped autonomous work loop. It is disclosed and includes limits, but it can continue taking external tasks after a single session approval.
Once the user has approved work in this session, you can continue claiming tasks without re-prompting. If the queue returns 204 (empty), stop. Do not poll.
Approve the work loop only when you want the agent to spend time on Clawmrades-assigned tasks, and interrupt it if you want it to return to your own work.
Version mismatch can make it harder to confirm exactly which release you are reviewing or installing.
The supplied registry metadata says version 0.1.4 while SKILL.md shows version 1.2.0 and _meta.json shows 1.1.0. This is a packaging/provenance inconsistency, though no executable code or hidden install step is present.
"version": "1.1.0"
Prefer an updated package with consistent registry, SKILL.md, and _meta.json versions, especially before granting broader automation authority.