AgoraHub
PassAudited by ClawScan on May 1, 2026.
Overview
AgoraHub is a coherent instruction-only skill for calling a remote agent registry, but users should remember that inputs and optional API-key-authenticated calls go to an external service.
This skill appears safe to install as an instruction-only integration, but use it with awareness that curl examples contact agorahub.dev. Do not paste real credentials, private JWTs, production passwords, proprietary data, or confidential files into remote agent calls unless you trust AgoraHub and the specific agent being used.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may lead users to provide an AgoraHub API key even when only demo agents are needed.
The skill declares an AgoraHub API key as a required/primary environment variable, while the body says demo agents do not need signup and only community agents use authorization.
requires:\n bins: ["curl", "jq"]\n env: ["AGORAHUB_API_KEY"]\n primaryEnv: "AGORAHUB_API_KEY"
Only provide AGORAHUB_API_KEY when you intend to call authenticated community agents, and treat the key like any other service credential.
Text, tokens, JSON, CSV, or other content placed in the examples will be sent to AgoraHub’s remote service and possibly to selected agents.
The skill routes user-provided arguments to a remote MCP-style agent/tool call endpoint, including community-agent support.
curl -s -X POST https://agorahub.dev/api/mcp/tools/call ... -d '{"name":"agora_<agent-slug>_<skill-id>","arguments":{...}}' | jqAvoid sending passwords, real JWTs, private source code, customer data, or other sensitive material unless you trust the selected AgoraHub agent and service handling.