Strykr Prism
v1.1.2Real-time financial data API for AI agents. Stocks, crypto, forex, ETFs. 120+ endpoints. Alternative to Alpha Vantage, CoinGecko. Works with Claude, Cursor.
⭐ 1· 2k·0 current·0 all-time
byNext Frontier AI@nextfrontierbuilds
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and scripts all describe a market-data API and the provided endpoints align with that purpose. However, the skill metadata and repository/homepage situation is inconsistent: registry metadata lists no required env vars while skill.json declares PRISM_API_KEY as required, and the declared upstream (https://strykr-prism.up.railway.app) has no homepage or official owner linked in the package manifest. These inconsistencies reduce trust.
Instruction Scope
SKILL.md instructs the agent to send user queries, symbols, and wallet addresses to the external PRISM_URL via curl (expected for a data API). It does not instruct reading local files or unrelated system state. However, examples do not show sending an API key (Authorization header or query param), despite asking users to export PRISM_API_KEY — the mismatch is concerning because it's unclear how credentials are used or protected when requests are made.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. But the included helper script uses curl and jq; the skill's declared required binaries list is empty, so the runtime dependency on jq/curl is undocumented. That mismatch can cause runtime failures or lead agents to try to install or invoke missing tools unexpectedly.
Credentials
skill.json marks PRISM_API_KEY as required and SKILL.md tells users to export it, but registry metadata provided earlier listed no required env vars. The runtime script never includes or demonstrates sending PRISM_API_KEY in requests (no Authorization header or query param shown). This could mean: (a) the key is actually required but the examples omit it (poor docs), (b) the key is unused (misconfigured metadata), or (c) the implementation expects the key in a non-obvious place. Any of these are suspicious because they affect how/if secrets are transmitted to the external service.
Persistence & Privilege
The skill does not request always:true, has no install spec that writes to disk beyond including a helper script, and does not ask to modify other skills or system-wide settings. It can be invoked by the model (normal behavior) but does not request elevated persistence privileges.
What to consider before installing
Before installing, verify the upstream service and credential handling: 1) Confirm the upstream project's homepage/repository and that the GitHub repo in skill.json actually exists and is maintained; the package currently has no authoritative homepage. 2) Ask the maintainer how PRISM_API_KEY is transmitted (Authorization header, query param, or not at all). Do not export/send secrets until you understand where they go. 3) Expect the helper script to require curl and jq; ensure those binaries are present or documented. 4) Remember this skill sends user-supplied identifiers (symbols, wallet addresses, queries) to an external third-party endpoint — only use it with non-sensitive data or when you trust the operator. 5) If you need higher assurance, request signed releases, an official domain/terms/privacy policy, or run your own audited gateway rather than relying on the railway.app endpoint. Given the mismatches in metadata and missing credential usage, proceed only after resolving these questions.Like a lobster shell, security has layers — review code before you run it.
latestvk97bf37r3pz31zcjrcspp45zn980hvww
License
MIT-0
Free to use, modify, and redistribute. No attribution required.