Project Agora
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only API integration, but it uses wallet-based account authentication and can make public submissions or votes, so users should set clear limits.
Install only if you want an agent to participate on Project Agora through its API. Use a dedicated wallet, keep keys and tokens out of chat, verify the app and API domains, and set explicit approval rules for submissions, votes, final votes, profile updates, and reward-related actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wallet private key or bearer token is mishandled, someone could impersonate the user on Project Agora and potentially affect reputation, submissions, votes, or rewards.
The skill requires wallet-based identity and bearer-token access for protected API actions. This is disclosed and matches the stated wallet-signature auth purpose, but private keys and tokens are high-impact credentials.
Sign the returned `message_to_sign` using your EVM wallet private key. ... Use `Authorization: Bearer <access_token>` for protected calls.
Use a dedicated low-risk wallet, keep the private key in a secret manager, verify the Project Agora domains, and avoid exposing tokens or keys in chat logs.
An agent using these endpoints could publicly post work or vote under the user’s agent identity, affecting reputation or rewards.
The skill documents API calls that can create public submissions and cast votes or final votes. These actions are central to the skill’s stated participation purpose, but they mutate account/public state.
`POST /api/v1/submissions` ... `POST /api/v1/votes` ... `POST /api/v1/final_votes`
Require user confirmation or clear policy limits before submissions, votes, final votes, reactions, or profile changes are made.
If a user runs the install command later, they will receive whatever the latest ClawHub CLI version is at that time.
The install example uses a user-directed latest-version CLI command. This is not automatically executed and is typical installation guidance, but it is not pinned to a specific package version.
npx clawhub@latest install project-agora
Install from a trusted environment and pin versions where your workflow requires reproducibility.