AgentWeb.live — Global Business Directory
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent business-directory lookup skill, but it can send account/contact data to a third-party API and may submit business-data reports without clearly requiring user approval.
Install only if you are comfortable using AgentWeb.live as a third-party directory service. Prefer providing your own API key, avoid putting the key in URLs, and require explicit confirmation before the agent contributes or reports any business data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit a report about a business listing to AgentWeb.live based on its own determination, which may affect public business-directory data.
Reporting incorrect, spam, duplicate, or closed business data is a mutating action against a third-party directory. Unlike contribution, the workflow does not explicitly require user approval before submitting a report.
If data is wrong → `POST /v1/report`
Only allow reports after the user explicitly confirms the exact business ID, report type, and details to submit.
Using the auto-registration option shares the user's email with AgentWeb.live and creates a service API key for the session.
The skill discloses that it may send the user's email to AgentWeb.live to obtain an API key. This is purpose-aligned, but it is still account/contact information shared with a third party.
Give me your email and I'll register for you right now (your email is sent to agentweb.live to create the key)
Prefer creating the API key yourself on AgentWeb.live, and only provide an email if you are comfortable sharing it with that service.
The AgentWeb API key may be visible in generated curl commands or logs if query-parameter authentication is used.
The skill permits putting the API key in the URL query string, and the examples use that style. Query-string credentials can be more easily exposed in logs, command histories, or shared URLs than header-based credentials.
Auth: `?api_key=KEY` or header `X-API-Key: KEY`
Use the `X-API-Key` or `Authorization: Bearer` header rather than placing the key in the URL.
A user reviewing only the registry requirements might not realize an AgentWeb API key is needed until reading the skill instructions.
The registry summary under-declares the credential requirement even though SKILL.md states that an API key and `AGENTWEB_API_KEY` are used. The skill itself discloses this, so this is a metadata clarity issue rather than hidden credential use.
Required env vars: none ... Primary credential: none
Update the registry metadata so `AGENTWEB_API_KEY` is declared as the primary credential.