Strykr Prism
PassAudited by ClawScan on May 1, 2026.
Overview
Strykr Prism appears to be a read-only finance data API skill, with minor review notes around its remote API use, API-key metadata, and version/provenance consistency.
This skill looks appropriate for read-only market-data and token-analysis lookups. Before installing, confirm you trust the PRISM API endpoint and publisher, use only a PRISM-specific API key, and avoid submitting wallet addresses or financial queries you do not want shared with the external API provider.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be asked to provide an API key even though the registry summary does not disclose a primary credential requirement.
The supplied registry metadata says no credential is required, while SKILL.md instructs `export PRISM_API_KEY="your-api-key"` and skill.json marks `PRISM_API_KEY` as required. This is under-declared credential metadata for a purpose-aligned API integration.
Required env vars: none; Env var declarations: none; Primary credential: none
Treat the PRISM key as a service credential, use a revocable/scoped key if available, and the publisher should align registry metadata with SKILL.md and skill.json.
Financial lookups or wallet addresses you ask the skill to check may be visible to the PRISM API provider or to any custom PRISM_URL you configure.
The helper sends requested symbols, natural-language finance queries, token contracts, and wallet addresses to an external API endpoint. This is expected for the skill's stated finance-data purpose, but users should understand the data leaves their environment.
PRISM_URL="${PRISM_URL:-https://strykr-prism.up.railway.app}" ... wallet) curl -s "$PRISM_URL/wallets/$2/balances" | jq .Use the default or another trusted PRISM_URL only, and avoid submitting wallet addresses or queries you do not want shared with the API provider.
Users may have less clarity about which published version or source repository corresponds to the installed skill.
The supplied registry lists version 1.1.2 and source/homepage as unknown, while SKILL.md lists version 1.1.1 and skill.json lists version 1.0.0 with a repository. This version/provenance inconsistency is a package-coherence note, not evidence of malicious behavior.
"version": "1.0.0", "repository": "https://github.com/NextFrontierBuilds/strykr-prism-skill"
Verify the repository and publisher before relying on the skill, and the publisher should align registry, SKILL.md, and skill.json version/source fields.