Echo AI
ReviewAudited by ClawScan on May 10, 2026.
Overview
Echo AI is a transparent, instruction-only integration, but users should use a scoped Echo API key and approve any credit-consuming chat calls deliberately.
Install this if you trust Echo AI and need the integration. Set ECHO_API_KEY with the narrowest scope available, prefer assistant-scoped keys, avoid sharing sensitive information in chats, and confirm paid chat calls only when you intend to spend credits.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad Echo API key could let the agent list and read all assistants available to that key and initiate chats under that account.
The skill uses the user's Echo API key to access Echo AI resources. This is expected for the integration, but the key's scope controls what assistants and knowledge bases the agent can access.
Set the environment variable `ECHO_API_KEY` to your key ... Header: X-API-Key: $ECHO_API_KEY
Use the narrowest available key, preferably an assistant-scoped key, keep it out of logs, and consider declaring ECHO_API_KEY in the skill metadata.
Approving chat calls can spend Echo credits.
The POST chat action can consume credits, but the skill clearly discloses the cost and requires explicit user confirmation before making chat calls.
Chat with an Echo (costs credits) ... Warn the user: "This will send a message to the Echo and consume the Echo owner's credits. Proceed?"
Only approve chat calls you intend to make, and prefer FAQ/profile answers when they are sufficient.
Sensitive information typed into chat may be processed by Echo AI and the selected assistant's service context.
Chat messages are sent to an external Echo AI assistant. This is central to the skill's purpose, but users should recognize that message content leaves the local agent.
Send a message and get a response from the Echo's AI ... POST https://auth.echoai.so/functions/v1/api/chat
Avoid sending secrets, personal data, or confidential business information unless you trust the Echo AI service and the specific assistant.
If a session ID is reused in the wrong context, prior conversation context could affect later chats.
The skill intentionally maintains conversation continuity by reusing session IDs. This is useful, but session IDs should remain scoped to the right user and conversation.
Return the response and save the `session_id` for follow-ups ... Always pass `session_id` back in follow-up messages to maintain context.
Keep session IDs separated by user and task, and clear or start a new session when switching topics or assistants.