AgentWeb.live — Global Business Directory
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit a report about a business listing to AgentWeb.live based on its own determination, which may affect public business-directory data.
Reporting incorrect, spam, duplicate, or closed business data is a mutating action against a third-party directory. Unlike contribution, the workflow does not explicitly require user approval before submitting a report.
If data is wrong → `POST /v1/report`
Only allow reports after the user explicitly confirms the exact business ID, report type, and details to submit.
Using the auto-registration option shares the user's email with AgentWeb.live and creates a service API key for the session.
The skill discloses that it may send the user's email to AgentWeb.live to obtain an API key. This is purpose-aligned, but it is still account/contact information shared with a third party.
Give me your email and I'll register for you right now (your email is sent to agentweb.live to create the key)
Prefer creating the API key yourself on AgentWeb.live, and only provide an email if you are comfortable sharing it with that service.
The AgentWeb API key may be visible in generated curl commands or logs if query-parameter authentication is used.
The skill permits putting the API key in the URL query string, and the examples use that style. Query-string credentials can be more easily exposed in logs, command histories, or shared URLs than header-based credentials.
Auth: `?api_key=KEY` or header `X-API-Key: KEY`
Use the `X-API-Key` or `Authorization: Bearer` header rather than placing the key in the URL.
A user reviewing only the registry requirements might not realize an AgentWeb API key is needed until reading the skill instructions.
The registry summary under-declares the credential requirement even though SKILL.md states that an API key and `AGENTWEB_API_KEY` are used. The skill itself discloses this, so this is a metadata clarity issue rather than hidden credential use.
Required env vars: none ... Primary credential: none
Update the registry metadata so `AGENTWEB_API_KEY` is declared as the primary credential.