Safety Report

Endpoints

Name: Endpoints
Author: adamkristopher

Endpoints document management API toolkit. Scan documents with AI extraction and organize structured data into categorized endpoints. Use when the user asks to: scan a document, upload a file, list endpoints, inspect endpoint data, check usage stats, create or delete endpoints, get file URLs, or manage document metadata. Requires ENDPOINTS_API_KEY from endpoints.work dashboard.

1,572Downloads

0Installs

0Stars

1Versions

API Integration4,971 File Management2,100 Security & Compliance1,716 PDF & Documents1,388

Security Analysis

high confidence

Suspicious0.04 risk

The skill largely implements a coherent document-scanning client for endpoints.work, but its declared metadata omits the required ENDPOINTS_API_KEY and there are small mismatches between the README/workflow and the shipped code that you should review before installing or running it with real data or credentials.

Feb 11, 20266 files4 concerns

Purpose & Capabilityconcern

The skill's code and SKILL.md match the described purpose (upload/scan documents, list/create/delete endpoints, fetch presigned file URLs, get billing stats). However the registry metadata claims no required environment variables or primary credential, while both SKILL.md and scripts/src/index.ts require ENDPOINTS_API_KEY (with ENDPOINTS_API_URL optional). This metadata mismatch is an incoherence that could mislead users about what secrets are needed.

Instruction Scopeconcern

Instructions tell the agent/user to create a .env with ENDPOINTS_API_KEY and to run npm install; the runtime code will read arbitrary local files (scanFile uses readFileSync on any supplied path) and will save output JSON into results/{category}/ and billing data into results/billing/. This file I/O and automatic saving is consistent with scanning functionality, but SKILL.md also describes a 'Summarize' phase that reads saved JSON and writes markdown summaries — that summarization is not implemented in the provided code, a discrepancy. Also scanning uploads content to the endpoints.work service and uses returned presigned S3 URLs: users should be aware that uploaded content is sent to an external service.

Install Mechanismnote

No formal install spec is provided in the registry; SKILL.md instructs running npm install in scripts/, and package.json lists only dotenv as a runtime dependency (dev deps include tsx/typescript). There is no download-from-arbitrary-URL behavior. Installing will fetch packages from the public npm registry (normal but requires trusting dependencies), and the code will be executed locally.

Credentialsconcern

The code legitimately requires a single service credential (ENDPOINTS_API_KEY) and optionally ENDPOINTS_API_URL; that is proportionate to a client for endpoints.work. The problem is the skill manifest/registry metadata declares no required env or primary credential, which is misleading. No other unrelated credentials are requested. The skill reads the .env file from the project root and will exit if ENDPOINTS_API_KEY is not set.

Persistence & Privilegeok

always is false and the skill does not request persistent platform-wide privileges. It writes files only under the repository/project results/ directory and does not alter other skills or system configuration. Autonomous invocation is allowed (default) but that alone is not flagged.

Guidance

What to consider before installing or running this skill: - The runtime code requires an ENDPOINTS_API_KEY (and optionally ENDPOINTS_API_URL), but the registry metadata did not declare that — treat the metadata as inaccurate until corrected. - The skill will upload text and file contents you pass to https://endpoints.work (via /api/scan) and may result in presigned S3 URLs being returned; do not upload sensitive or regulated data unless you fully trust the service and its policies. - The skill reads arbitrary local file paths you provide (scanFile uses readFileSync). Only give paths for files you intend to send; consider running in a sandboxed environment if you are unsure. - The package uses public npm packages; run npm install in an isolated/dev environment first, and inspect node_modules if you want to audit dependencies before executing. - There's a mismatch between the SKILL.md workflow (mentions automatic summarization) and the provided code (which saves results but does not produce summaries); expect some missing functionality or stale documentation. Recommended actions: - Ask the skill publisher or registry maintainer to update the skill manifest to declare ENDPOINTS_API_KEY as a required environment credential and to provide a homepage/source for vetting. - If you will use it, test with non-sensitive sample data and in an isolated environment (container/VM) first. - Review the code and verify the network endpoints and returned URLs (ensure endpoints.work is the expected service) and check the service's privacy/storage policy before uploading real documents. - Do not insert production secrets until you're confident about the code and service.

Latest Release

v1.0.0

Initial release: Scan documents with AI extraction, manage endpoints, check usage stats

More by @adamkristopher

GA4 Analytics

7 stars

Botcoin

4 stars

SEO DataForSEO

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @adamkristopher on ClawHub