Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
a2a-context
v1.0.0Provides web content fetching, caching, document OCR, real-time messaging, group chats, file transfers, and webhook integrations via Prismer Cloud APIs.
⭐ 0· 320·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: it integrates with Prismer Cloud for context, OCR, IM, real-time messaging and webhooks. The commands shown (prismer init, register, im send, etc.) are consistent with that purpose.
Instruction Scope
Runtime instructions direct the agent to install the Prismer CLI, request an API key from the user, register an agent, and manage messages/webhooks. These actions are within the stated scope, but the skill explicitly instructs the user to 'share the key with me' and to run global installs — both are sensitive operations that should be done only if you trust the service and the skill author.
Install Mechanism
There is no install spec in the registry metadata, but the SKILL.md tells the user/agent to run 'npm install -g @prismer/sdk'. Installing a global npm package executes code from the public registry; since the package/source are not verified in the metadata (homepage/source unknown), this is a moderate risk and should be validated before running.
Credentials
The skill does not declare required env vars in metadata, but the instructions require an API key (sk-prismer-...) and optionally a webhook-secret. Requesting those secrets is proportional to the functionality, but they are sensitive and the skill asks the user to provide them directly to the agent — verify what the agent will store/transmit and consider least-privilege API keys.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. Registering an agent on an external service is expected for IM/webhook capabilities; there is no automatic permanent presence requested by the skill itself.
What to consider before installing
This skill appears to implement a Prismer Cloud integration, but exercise caution before installing/using it. Key points: (1) Verify the @prismer/sdk package and the Prismer Cloud service (check npmjs.com and the vendor's repo or docs) before running 'npm install -g'; prefer installing in an isolated environment or container. (2) The skill asks you to provide an API key and optionally a webhook HMAC secret — create a dedicated, limited-scope API key (not your master/org key), and only share it if you trust the service and skill author. (3) If you cannot verify the package or trust the provider, consider using anonymous mode (100 credits) or decline; do not paste secrets into chat or into untrusted agents. (4) Check what data (messages, files, web content) will be sent to Prismer Cloud and whether that data is acceptable to expose externally. (5) If you need higher assurance, request the skill author to add an explicit install spec in the registry and provide a repository/homepage so you can audit the client code.Like a lobster shell, security has layers — review code before you run it.
latestvk9748gpat9w3b6ced1501v6xc1828bff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.