Macrocosmos
PassAudited by ClawScan on May 1, 2026.
Overview
This documentation-only skill is aligned with fetching X/Reddit data through Macrocosmos, but users should notice it needs a Macrocosmos API key and sends search queries to an external service.
Before installing or using this skill, verify that you trust Macrocosmos and the listed API endpoint, use a revocable API key, and avoid sending sensitive search terms or real credentials in prompts or logs. The observed issues are metadata and credential-handling notes, not evidence of malicious behavior.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your search terms, usernames, date ranges, and result limits can be sent to Macrocosmos when the skill is used.
The skill instructs the agent how to send user-selected search parameters to an external API. This is disclosed and matches the stated purpose.
POST https://constellation.api.cloud.macrocosmos.ai/sn13.v1.Sn13Service/OnDemandData ... parameters include usernames, keywords, start_date, end_date, limit
Use the skill only for queries you are comfortable sending to Macrocosmos, and review broad or sensitive searches before running them.
Anyone using the skill must provide or expose a Macrocosmos API credential to make requests.
The skill requires a Macrocosmos API key and sends it as a Bearer token. This is expected for the service integration, with no evidence of unrelated credential use or leakage.
`MC_API` | **Yes** | `secret` | Macrocosmos API key ... Authorization: Bearer <YOUR_MC_API_KEY>
Use a dedicated/revocable Macrocosmos API key, avoid pasting real keys into prompts or logs, and revoke the key if you no longer use the skill.
Users cannot rely on the registry metadata alone to understand the source or credential requirements before use.
The registry metadata does not declare provenance or the credential requirement that SKILL.md describes. Because there is no code or install spec, this is a metadata/provenance gap rather than evidence of hidden executable behavior.
Source: unknown; Homepage: none ... Required env vars: none ... Primary credential: none
Verify the Macrocosmos endpoint and project identity before setting an API key; the publisher should declare the source/homepage and MC_API credential in metadata.