EchoDecks
PassAudited by ClawScan on May 1, 2026.
Overview
EchoDecks is a coherent EchoDecks API integration, but users should notice that it uses an API key, sends study content to EchoDecks, and can spend account credits when generating content.
This appears safe to install if you trust EchoDecks with your study data and API key. Before use, provide only a revocable/scoped key if possible, avoid sending confidential text, and require confirmation before generating cards or podcasts that spend credits.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill requires granting the agent access to an EchoDecks account through an API key.
The client reads a local EchoDecks API key and sends it as the authentication header on requests. This is expected for the integration, but the registry metadata declares no required environment variables or primary credential.
api_key = os.environ.get("ECHODECKS_API_KEY") ... "X-API-KEY": get_api_key()Use a revocable or scoped EchoDecks API key if available, and treat the key as sensitive.
If invoked, the agent can submit reviews, create generated cards, or start podcast generation that may spend account credits.
The skill exposes purpose-aligned actions that change study/account state and consume EchoDecks credits. The costs are disclosed, but there is no explicit confirmation step in the instructions.
`echodecks_submit_review` ... `echodecks_generate_cards` ... Cost: 10 credits ... `echodecks_generate_podcast` ... Cost: 50 credits.
Ask the agent to confirm before any credit-consuming or account-mutating EchoDecks action.
Private study notes or pasted text may be transmitted to EchoDecks when generating cards.
User-provided text for card generation is sent to the external EchoDecks API. This is central to the skill purpose, but it is still a provider data boundary users should notice.
if args.text:
data["text"] = args.text
return make_request("POST", "generate", action="cards", data=data)Avoid submitting confidential text unless you are comfortable with EchoDecks processing it.
The skill may require a Python environment with the requests package available even though installation requirements are not declared.
The included Python client has a runtime dependency while the registry provides no install spec. This is not suspicious by itself, but it is a packaging/dependency disclosure gap.
import requests
Verify dependencies and prefer metadata that declares required environment variables and packages.