acpx Security Report — Trusted | ClawSafe

5 /100

acpx

Use acpx as a headless ACP CLI for agent-to-agent communication, including prompt/exec/sessions workflows, session scoping, queueing, permissions, and output formats.

This skill is a pure documentation file (SKILL.md) describing the `acpx` CLI tool for agent-to-agent communication. No implementation code, scripts, or malicious behavior is present.

Skill Nameacpx

Duration31.2s

Enginepi

✓

Safe to install

No action needed. This is a documentation-only skill. Ensure the external `acpx` npm package is sourced from a trusted registry.

Findings 2 items

Severity	Finding	Location
Info	External npm package dependency Supply Chain The skill documents the use of external npm packages (acpx, @zed-industries/codex-acp, pi-acp, etc.) invoked via npx. Version pinning is not enforced in documentation. `npm i -g acpx; npx @zed-industries/codex-acp` → Pin package versions in production workflows to prevent dependency confusion attacks.	`SKILL.md:70`
Info	Permission mode flags documented Doc Mismatch The skill documents --approve-all, --approve-reads, and --deny-all flags that control what the acpx tool can do. This is legitimate CLI design for permission control. `--approve-all: auto-approve all permission requests` → No action needed. This is standard permission control design for agent tools.	`SKILL.md:159`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in SKILL.md
Network	`NONE`	`NONE`	—	No network operations in SKILL.md
Shell	`NONE`	`NONE`	—	No shell execution in SKILL.md
Environment	`NONE`	`NONE`	—	No env access in SKILL.md
Skill Invoke	`NONE`	`NONE`	—	No skill invocation in SKILL.md
Clipboard	`NONE`	`NONE`	—	No clipboard access in SKILL.md
Browser	`NONE`	`NONE`	—	No browser access in SKILL.md
Database	`NONE`	`NONE`	—	No database access in SKILL.md

File Tree

1 files · 10.2 KB · 321 lines

Markdown 1f · 321L

└─ 📝 SKILL.md Markdown 321L · 10.2 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`acpx`	`*`	npm	No	Not pinned in documentation
`@zed-industries/codex-acp`	`*`	npx	No	Not pinned in documentation
`pi-acp`	`*`	npx	No	Not pinned in documentation

Security Positives

✓ No implementation code present - pure documentation

✓ No credential harvesting or exfiltration behavior

✓ No obfuscated code or base64 payloads

✓ No suspicious network connections documented

✓ No filesystem operations without user consent

✓ No reverse shell or C2 behavior

✓ No supply chain attack indicators within the skill itself

✓ Clear and accurate documentation of the tool's behavior

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives