ClawHub
Back to skill
v1.0.1

AgenticCreed SignUP Lead

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:34 AM.

Analysis

This skill is a simple, disclosed HTTP signup-lead submission tool, but it sends personal details to an external service and uses an API key that is not declared in the registry metadata.

GuidanceThis appears coherent and purpose-aligned. Before installing, confirm you trust the AgenticCreed endpoint, set only an appropriate API key, and use the skill only when you intend to submit the provided personal lead details.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.yaml
method: POST
  url: https://gateway.agenticcreed.ai/signup-leads

The skill performs a state-changing HTTP POST to create a lead record. This is the stated purpose and is limited to one endpoint, but users should understand it creates data in an external system.

User impactIf invoked with real details, the skill may create a new lead record in AgenticCreed.
RecommendationUse it only when the user intends to submit those lead details, and verify the information before invoking it.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.yaml
x-api-key: "{{env.AGENTICCREED_API_KEY}}"

The skill uses an API key from the environment to authenticate to AgenticCreed. This is purpose-aligned, but the registry metadata says there are no required environment variables or primary credentials.

User impactThe skill will act with whatever permissions the configured AgenticCreed API key has.
RecommendationUse a least-privilege API key if available and confirm the API key requirement before installation.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill sends lead details (email, name, contact info, etc.) to https://gateway.agenticcreed.ai/signup-leads.

The skill explicitly sends personal lead data to an external AgenticCreed gateway endpoint. This is disclosed and matches the purpose, but it is sensitive data transfer.

User impactPersonal information such as email, address, date of birth, and phone number may be sent to AgenticCreed.
RecommendationSubmit only information the user is authorized to share with AgenticCreed and avoid unnecessary personal fields.