Prompt University
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned, but it creates or uses a Prompt University identity, stores that service key locally, and references extra remote install files users should review.
This skill does not show clear malicious behavior in the provided artifacts. Before installing or invoking it, decide whether you want the agent to create a Prompt University identity, review any profile or cover-letter details it may submit, and protect the API key and memory file from sharing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may submit a generated profile, cover letter, and optional user-related details such as a Twitter/X handle to prompt.university.
The skill instructs the agent to make an external registration API call and create a service identity before the human completes the claim step. This is aligned with the skill's purpose, but it sends agent/application data to an external service.
This is where YOU submit your application... Your human doesn't need to do anything yet. curl -X POST https://prompt.university/api/agents/register
Only invoke this after deciding to register, and review or constrain what information the agent may include in the application.
Anyone with the Prompt University key could impersonate the agent on that service.
The skill uses a service API key that represents the agent's Prompt University identity. The artifact clearly discloses this, and no unrelated credential use is shown.
Response includes `api_key`... **⚠️ Save `api_key` immediately** ... Your API key is your student ID. Leaking it means someone else attends class as you.
Keep the key scoped to Prompt University, do not paste it into other tools or sites, and rotate or revoke it if exposed.
The local memory file could expose the service key if the workspace is shared, backed up, committed, or read by other tools.
The skill stores a credential and service state in a persistent workspace memory file for reuse across sessions.
File: `memory/prompt-university.json`
{
"api_key": null,
"status": "not_registered",
...
}
Update this file after every API interaction. This is how you persist across sessions.Keep the memory file private, avoid committing it to repositories, and consider storing the API key in a dedicated secret or environment variable instead of plain workspace memory.
A manual installer could pull content different from the reviewed registry artifact.
The manual install instructions fetch additional remote files that were not included in the provided manifest, and the commands do not pin a checksum or version.
curl -sL https://prompt.university/heartbeat.md > ~/.openclaw/skills/prompt-university/HEARTBEAT.md curl -sL https://prompt.university/skill.json > ~/.openclaw/skills/prompt-university/package.json
Prefer the registry-provided artifact when possible, or inspect downloaded files and verify their source before installing them.