PrepSPSC PYQ API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: prepspsc-pyq Version: 1.0.0 The skill bundle is benign. It provides instructions for an AI agent to interact with a legitimate-looking API (`https://qqqditxzghqzodvauxth.supabase.co`) for exam preparation. All `curl` commands and agent instructions in `SKILL.md` are directly related to the stated purpose of searching questions, generating mock tests, and tracking user progress. There is no evidence of prompt injection attempts, unauthorized data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The agent is instructed to check for a specific environment variable (`$PREPSPSC_API_KEY`), which is a standard and expected practice for API authentication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may check whether the PrepSPSC API key is configured and then call the documented API for exam-prep tasks.
The skill may lead the agent to run a simple environment-variable check and use documented API calls. The shown check does not print the secret and is scoped to setup.
Before guiding the user through setup, check if the API key is already available: ... if [ -n "$PREPSPSC_API_KEY" ]; then
Permit these operations only when using the PrepSPSC service, and review any shell command if your agent asks for execution approval.
Anyone with the API key may be able to make requests to the PrepSPSC service under that key.
The skill requires a service API key. This is expected for the stated API integration, but users should treat the key as a credential.
All requests require a Bearer token in the `Authorization` header. API keys start with `sk_live_`.
Store the API key securely, avoid pasting it into shared chats or files, and revoke or rotate it if exposed.
Exam-prep queries and related parameters may be processed by the external PrepSPSC/Supabase service.
The skill sends search or mock-test parameters to an external API endpoint. This is disclosed and purpose-aligned, but it is still an external data flow.
Base URL | `https://qqqditxzghqzodvauxth.supabase.co/functions/v1/pyq-api` ... `"query": "Fundamental Rights Article 21"`
Use it for exam-prep content and avoid including private, personal, or unrelated sensitive information in API queries.