Apiosk Publish
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated purpose, but it uses a local wallet private key and can publish, update, or deactivate Apiosk listings, so users should run it only for intentional account changes.
Use this skill only if you intend to manage Apiosk marketplace listings. Keep the wallet private key protected, use a dedicated wallet where possible, verify the exact slug and listing changes before update/delete actions, and make sure the required local tools are installed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wallet key is misused or exposed, someone could sign Apiosk management requests as that wallet, affecting listings tied to the account.
The skill requires wallet identity and private-key material to sign Apiosk management requests. This is expected for the stated purpose, but the credential is powerful and should be handled carefully.
Wallet: - `~/.apiosk/wallet.json` (preferred, includes `address` + `private_key`) - or `APIOSK_PRIVATE_KEY` env var - or `--private-key` flag
Use a dedicated low-risk wallet if possible, protect `~/.apiosk/wallet.json`, avoid passing private keys in shared terminals, and review the exact command before signing management actions.
A mistaken command could publish an unintended endpoint, change pricing or metadata, or deactivate a listing.
The documented endpoints include mutating account/listing operations such as register, update, and delete/deactivate. They are purpose-aligned and scoped, but they can materially affect a user’s Apiosk marketplace presence.
- `POST /v1/apis/register` - `GET /v1/apis/mine?wallet=0x...` - `POST /v1/apis/:slug` - `DELETE /v1/apis/:slug?wallet=0x...`
Before running update or delete/deactivate commands, confirm the slug, endpoint URL, price, description, and active status. Consider asking the agent to show the full command and payload first.
Automated pre-install checks may not warn that the skill needs local tools and wallet credentials before use.
The registry-level requirement view does not reflect the runtime needs disclosed in the bundled files, including curl, jq, cast, and Apiosk wallet access. This appears to be under-declared metadata rather than hidden behavior.
Required binaries (all must exist): none ... Primary credential: none ... Required config paths: none
Install and verify `curl`, `jq`, and Foundry `cast` yourself, and treat wallet access as a required credential even though the registry metadata does not list it.