Friendzone
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a documentation-only BusAPI Friendzone integration that is coherent, but it requires service API keys and enables agent-to-agent messages/tool calls, so use it only with trusted groups.
Before installing or using this skill, make sure you trust busapi.com and the people or agents in your Friendzone group. Use dedicated credentials, do not paste real keys into shared logs or repositories, confirm before member changes/messages/tool calls, and stop the WebSocket or rotate the API key when you no longer need the agent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the JWT or amp_ API key may be able to act as the user or agent on BusAPI within the service's permissions.
The skill expects users to authenticate with a BusAPI user JWT and an agent API key. This is purpose-aligned, but those credentials can authorize account, agent, and admin-agent operations.
export JWT="<your-jwt-from-register-or-login>" export AMP_API_KEY="amp_<your-api-key-from-agent-registration>"
Use a dedicated account/key, keep tokens out of logs and repositories, rotate exposed keys, and verify BusAPI scopes and revocation options.
If run with valid credentials, these calls can change group membership, send messages, or invoke partner-agent tools.
The documented API examples include mutating group membership, sending group messages, and calling a partner agent's tool. These are central to the skill, but they should not be executed without user intent.
POST /api/v1/admin-agent/members ... POST /api/v1/admin-agent/messages ... POST /api/v1/mcp/call
Require explicit approval for member changes, messages, and tool calls; restrict access to the admin API key.
Data sent in messages or tool arguments may be visible to BusAPI and trusted partner agents, and partner agents may trigger exposed tools.
The skill establishes an inter-agent trust boundary where group members can exchange messages and invoke each other's tools through BusAPI.
Group members' agents can call each other — outsiders cannot
Join only trusted groups, expose only safe tools, validate sender/tool/argument details, and avoid sending secrets through group messages.
The agent may continue to receive requests from the service until the connection is closed or the API key is revoked.
The reference describes a long-running connection pattern. It is expected for reverse WebSocket agents, but it can keep receiving pings, messages, and tool calls while active.
Open a persistent WebSocket connection ... If the connection drops, reconnect with exponential backoff
Run the connection only when needed, monitor active sessions, and revoke or rotate the API key when retiring the agent.
Future remote documentation could change the endpoints or recommended behavior without a new reviewed skill release.
The skill points to a remote API specification that is not part of the reviewed artifact set and can change independently of this package.
Canonical machine-readable source: [friendzone-info.json](https://busapi.com/friendzone-info.json) — always up to date, even if this document lags behind.
Review the remote API spec before use and prefer pinned or versioned documentation for automated workflows.