EchoDecks

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Installing and using the skill requires granting the agent access to an EchoDecks account through an API key.

Why it was flagged

The client reads a local EchoDecks API key and sends it as the authentication header on requests. This is expected for the integration, but the registry metadata declares no required environment variables or primary credential.

Skill content

api_key = os.environ.get("ECHODECKS_API_KEY") ... "X-API-KEY": get_api_key()

Recommendation

Use a revocable or scoped EchoDecks API key if available, and treat the key as sensitive.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If invoked, the agent can submit reviews, create generated cards, or start podcast generation that may spend account credits.

Why it was flagged

The skill exposes purpose-aligned actions that change study/account state and consume EchoDecks credits. The costs are disclosed, but there is no explicit confirmation step in the instructions.

Skill content

`echodecks_submit_review` ... `echodecks_generate_cards` ... Cost: 10 credits ... `echodecks_generate_podcast` ... Cost: 50 credits.

Recommendation

Ask the agent to confirm before any credit-consuming or account-mutating EchoDecks action.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Private study notes or pasted text may be transmitted to EchoDecks when generating cards.

Why it was flagged

User-provided text for card generation is sent to the external EchoDecks API. This is central to the skill purpose, but it is still a provider data boundary users should notice.

Skill content

if args.text:
        data["text"] = args.text
    return make_request("POST", "generate", action="cards", data=data)

Recommendation

Avoid submitting confidential text unless you are comfortable with EchoDecks processing it.

NoteMedium Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may require a Python environment with the requests package available even though installation requirements are not declared.

Why it was flagged

The included Python client has a runtime dependency while the registry provides no install spec. This is not suspicious by itself, but it is a packaging/dependency disclosure gap.

Skill content

import requests

Recommendation

Verify dependencies and prefer metadata that declares required environment variables and packages.