ClawHub

Ultimate Flashcards and Podcast Tutor

v1.0.4

AI-powered flashcard management with automated podcast generation and spaced-repetition study tools.

1· 1.7k·0 current·0 all-time
by@drgeld·duplicate of @drgeld/echodecks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The advertised purpose (flashcard management and podcast generation via EchoDecks) matches the included client code and README, but there are surprising mismatches: the registry metadata at the top says "Required env vars: none" while SKILL.md and the code require ECHODECKS_API_KEY. The README links to echodecks.app while the client uses a BASE_URL on echodecks.com — the dual domains are inconsistent and should be explained.
Instruction Scope
SKILL.md limits runtime behavior to EchoDecks API operations and declares a single required env var (ECHODECKS_API_KEY). The implementation similarly only reads that env var and performs HTTP calls. There are no instructions to read arbitrary files or other credentials. However, the SKILL.md metadata (requires envs) is present inside the file while the registry metadata omitted it — that mismatch could lead to the agent not prompting the user for the API key.
Install Mechanism
This is instruction-only with no install spec, and included code files are plain Python. No downloads, package installs, or extraction steps are present, so install risk is low.
!
Credentials
Only one credential (ECHODECKS_API_KEY) is used in code and SKILL.md, which is proportionate to an API client. But the registry metadata omitted required envs while SKILL.md and code require ECHODECKS_API_KEY — this inconsistency could cause accidental omission of the API key or confusion for users. Verify which manifest is authoritative before providing secrets.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and does not persist new credentials. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.
What to consider before installing
Key issues to resolve before installing: - Confirm the required environment variable: SKILL.md and the code expect ECHODECKS_API_KEY, but the registry metadata claims none — don't provide secrets until this is fixed or clarified. - Ask the author to explain the domain discrepancy: README links to echodecks.app while the client posts to echodecks.com; confirm the official API endpoint and that keys are sent only to the legitimate service. - Tests, SKILL.md, and code disagree on parameter names and payload formats (e.g., card_id vs cardId, style vs voice/type) and on the exact base URL (tests expect a different path). These look like copy-paste or versioning bugs — request an updated, consistent set of files or run the tests locally in a safe environment to validate behavior. - If you must test the skill, do so with a scoped/test API key (not a high-privilege personal key), monitor network requests, and review responses to ensure the key is only used for EchoDecks. - Prefer skills from known publishers or with a clear homepage and contact info; this skill's source/homepage are unknown, which reduces trust. If the author cannot clarify these inconsistencies, treat the package as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk975yrw5seqy9j0zpwxf07m1ph80m0m9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments