PrepSPSC PYQ API
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only exam-prep API skill, with expected but noticeable use of an external service and API key.
Before installing, verify that you trust the PrepSPSC service and API endpoint, keep the API key private, and avoid sending non-exam sensitive information in prompts. The provided artifacts do not show hidden code, persistence, destructive behavior, or overbroad local access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may check whether the PrepSPSC API key is configured and then call the documented API for exam-prep tasks.
The skill may lead the agent to run a simple environment-variable check and use documented API calls. The shown check does not print the secret and is scoped to setup.
Before guiding the user through setup, check if the API key is already available: ... if [ -n "$PREPSPSC_API_KEY" ]; then
Permit these operations only when using the PrepSPSC service, and review any shell command if your agent asks for execution approval.
Anyone with the API key may be able to make requests to the PrepSPSC service under that key.
The skill requires a service API key. This is expected for the stated API integration, but users should treat the key as a credential.
All requests require a Bearer token in the `Authorization` header. API keys start with `sk_live_`.
Store the API key securely, avoid pasting it into shared chats or files, and revoke or rotate it if exposed.
Exam-prep queries and related parameters may be processed by the external PrepSPSC/Supabase service.
The skill sends search or mock-test parameters to an external API endpoint. This is disclosed and purpose-aligned, but it is still an external data flow.
Base URL | `https://qqqditxzghqzodvauxth.supabase.co/functions/v1/pyq-api` ... `"query": "Fundamental Rights Article 21"`
Use it for exam-prep content and avoid including private, personal, or unrelated sensitive information in API queries.