ClawAudit verdict

graymatter

45
🟠 Risky
Significant concerns — only install if you understand the risks

The skill instructs the agent to load a live OpenAPI spec from a third-party server (api-0.valkyrlabs.com) and treat it as the authoritative source of truth for all available business objects and actions, effectively delegating control of agent behavior to a remotely-controlled external specification.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
80
transparency
70
maintenance

Permission integrity

Accesses agent memory/configuration files

agent_memory

Findings (10)

Pattern match high

Possible hardcoded credential

mcp-server/test/server.test.js · prose · downgraded · token: 'expired-process-token

Pattern match medium

Accesses system credential store

SKILL.md · prose · downgraded · Keychain

Pattern match medium

References agent memory files

SKILL.md · code · memory.md

Pattern match medium

References child_process — can spawn system processes

mcp-server/index.js · prose · downgraded · child_process

Pattern match medium

HTTP request to bare IP address — common in malicious payloads

mcp-server/index.js · prose · downgraded · http://127.0.0.1

Pattern match medium

References tunneling service

mcp-server/README.md · code · ngrok

Pattern match medium

Uses spawn() — can execute external programs

mcp-server/test/server.test.js · prose · downgraded · spawn(

Pattern match medium

Instructs covert action — may act without user awareness

references/multi-agent-conventions.md · prose · downgraded · silently

Pattern match medium

Long base64 string (100+ chars) — likely obfuscated payload

tests/gm_install_check_test.sh · prose · downgraded · eyJyb2xlcyI6WyJFVkVSWU9ORSIsIkZSRUUiXSwiYXV0aG9yaXRpZXMiOlsiRlJFRSJdLCJzY29wZXMi

Pattern match low

Accesses sensitive environment variables

mcp-server/index.js · prose · downgraded · process.env.VALKYR_AUTH_TOKEN

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

No declared permissions — minimal attack surface.

agent_memory

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API