ClawHub

EchoDecks

v1.0.2

AI-powered flashcards and audio podcasts for active recall.

1· 1.7k·0 current·0 all-time
by@drgeld
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (flashcards + podcasts) matches the code's behavior: the client issues HTTP requests to echodecks.com and supports deck/card/podcast operations. However the registry metadata claims no required env vars while SKILL.md and the client require ECHODECKS_API_KEY — an inconsistency.
!
Instruction Scope
SKILL.md describes tools and parameters, but many parameter names and expected fields differ from the implementation (e.g., SKILL.md/test references 'voice'/'type' vs code uses 'style', 'card_id' vs 'cardId', and CLI subcommand flags vary). The example call path in SKILL.md matches the CLI, but the mismatches mean the runtime behavior may not match what the docs tell the agent to send/expect.
Install Mechanism
No install spec (instruction-only + bundled Python files). No downloads or external installers. Risk is limited to the included Python code being executed; nothing is pulled from untrusted URLs at install time.
!
Credentials
The client legitimately needs a service API key (ECHODECKS_API_KEY) to call the remote API, which is proportionate to its purpose. However the registry metadata does not declare this required env var (mismatch), and the SKILL.md explicitly says the API key is required. That mismatch could cause silent failures or misconfiguration; ask the publisher to correct the manifest. Also confirm what privileges the API key grants before providing it.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and can be autonomously invoked (platform default), which is expected for skills of this type.
What to consider before installing
This package appears to implement an EchoDecks API client (network calls to echodecks.com) and sensibly requires an API key — that part is coherent with its purpose. However there are multiple mismatches between the registry manifest, SKILL.md, the Python client, and the unit tests (different request URLs, different parameter names/casing). Before installing or providing your ECHODECKS_API_KEY: 1) Ask the publisher to fix the manifest and docs so declared env vars match the code. 2) Verify the API host (echodecks.com) is the official service and confirm what access the API key grants; use a minimally privileged/test key if possible. 3) Because the skill makes outbound HTTP calls, avoid giving a high-privilege key until you confirm request payloads and endpoints. 4) If you plan to enable autonomous invocation, be extra cautious — the agent could call the remote API without prompting. If you want help, provide the corrected manifest or ask the publisher to reconcile the parameter and URL mismatches so we can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bgsgbb72xmkqnr8292vcvxd80nw38publicvk9761k07tejw76pfhp0q30q31580j1f6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments