Ultimate Flashcards and Podcast Tutor

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent for EchoDecks study workflows, but it requires an API key and can send study content to EchoDecks while performing account-changing or credit-using actions.

This appears safe to install if you trust EchoDecks and the skill publisher. Before use, confirm you are comfortable providing an EchoDecks API key, sending study text to the service, and allowing the agent to perform actions that create content, update reviews, or spend EchoDecks credits.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone using this skill must trust it with their EchoDecks API key and the account permissions that key provides.

Why it was flagged

The client authenticates every API request with the user's ECHODECKS_API_KEY, giving the skill delegated access to the user's EchoDecks account.

Skill content

"X-API-KEY": get_api_key()

Recommendation

Use a scoped or revocable EchoDecks key if available, and revoke or rotate the key if you stop using the skill.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked, the agent can spend EchoDecks credits and create new study or podcast content in the user's account.

Why it was flagged

The skill exposes actions that generate content and consume EchoDecks credits; this is disclosed and purpose-aligned, but still affects the user's account balance.

Skill content

echodecks_generate_cards ... Cost: 10 credits ... echodecks_generate_podcast ... Cost: 50 credits

Recommendation

Confirm expensive generation requests before letting the agent create cards or podcasts, especially for broad prompts.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Text you provide for flashcard generation may be transmitted to EchoDecks for processing.

Why it was flagged

Raw text supplied for card generation is posted to the remote EchoDecks API, so private study material may leave the local agent environment.

Skill content

if args.text:
        data["text"] = args.text
    return make_request("POST", "generate", action="cards", data=data)

Recommendation

Avoid sending confidential, regulated, or highly sensitive material unless you trust EchoDecks' handling of that data.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The install listing may not fully communicate the credential requirement or provenance before a user reads the artifacts.

Why it was flagged

The registry metadata does not identify a source/homepage or declare the API-key requirement, although the included SKILL.md and README.md do disclose ECHODECKS_API_KEY.

Skill content

Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none

Recommendation

Verify that the publisher and EchoDecks API endpoint are trustworthy before adding an API key.