ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Prefy

Connect to Prefy AI platform — Conductor API (19 models, OpenAI-compatible), server management, web search, image generation, phone calls (AutoCall). Use whe...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 200 · 0 current installs · 0 all-time installs
by@runrelay
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to connect to the Prefy platform (chat, search, images, servers, AutoCall). The SKILL.md shows it needs a Prefy API key (PREFY_API_KEY / pc_...), a Supabase JWT for server/agent APIs, and implies integration with Stripe and third-party audio providers. However, the registry metadata lists no required environment variables or primary credential. Declaring no credentials is inconsistent with the documented usage and credential patterns in SKILL.md.
Instruction Scope
SKILL.md provides concrete API endpoints and sample payloads and stays within the described Prefy capabilities. It does, however, document server management 'agent commands' that include 'shell <cmd>' (remote shell execution on provisioned servers) and creating Stripe checkouts, which are high-privilege actions. The instructions do not ask the agent to read local files or unrelated system state, but they do enable potentially dangerous remote operations if invoked with credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or downloaded at install time. That minimizes install-time risk.
!
Credentials
The SKILL.md expects secret credentials (Prefy API key, Supabase JWT) and hints at Stripe usage and third-party audio services, but the skill metadata lists none. Requiring multiple secrets for different subsystems (API, auth for server agents, payment) is plausible for the described functionality but must be explicitly declared; the omission is a proportionality and transparency issue. Any required tokens would grant significant access (API calls, server control, payment flow).
Persistence & Privilege
The skill is not marked always:true and is user-invocable with normal autonomous invocation settings. It does not request persistent presence or modifications to other skills. That privilege level is typical for an integration skill.
What to consider before installing
The skill appears to document genuine Prefy API endpoints, but the metadata fails to declare the secret keys the SKILL.md clearly expects. Before installing or enabling this skill: 1) Ask the author to explicitly list required environment variables (e.g., PREFY_API_KEY, SUPABASE_JWT, any Stripe keys) in the skill manifest. 2) Only provide the minimum-scoped credentials necessary (use per-skill API keys or short-lived tokens if possible). 3) Be cautious about granting server-agent JWTs or payment credentials — these enable remote shell commands and creating payment checkouts. 4) Verify the official Prefy documentation and TLS endpoints (https://prefy.com/docs) and confirm the skill's source/maintainer identity. 5) If you must test, do so in an isolated account or sandbox environment with limited privileges. If the author cannot justify the undeclared credentials, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bav6ta16440k5e1jz25kz5x82492b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Prefy — AI Platform Skill

Quick Start

# Chat completion (OpenAI-compatible, streaming)
curl https://prefy.com/api/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $PREFY_API_KEY" \
  -d '{"model":"conductor:fast","messages":[{"role":"user","content":"Hello"}],"stream":true}'

Authentication

All endpoints require Authorization: Bearer <key> header.

  • Conductor API: Use Prefy API key (starts with pc_)
  • Server/Agent APIs: Use Supabase JWT token

Conductor AI — Smart Model Router

POST https://prefy.com/api/v1/chat/completions

OpenAI-compatible. Drop-in replacement. Supports streaming.

Models

ModelBest ForSpeed
conductorAuto-route to best modelAuto
conductor:fastSpeed priority
conductor:qualityQuality priorityMedium
conductor:creativeCreative tasksMedium
conductor:privatePrivacy priorityVaries
gemini-flashQuick tasks
gemini-proGeneral purposeFast
gpt-4oBest all-roundFast
gpt-4o-miniBudget tasks
claude-sonnetAnalysis, writingFast
deepseek-v3Code, mathFast
deepseek-r1Chain-of-thoughtMedium
llama-70bComplex reasoningMedium
groq-llamaSpeed-critical
qwen-7bMultilingualFast

Strategies

Append strategy to conductor model name:

  • :fast — Gemini Flash / Groq (cheapest, fastest)
  • :quality — GPT-4o / Claude (best quality)
  • :creative — High temperature, diverse outputs
  • :private — Routes through privacy-first providers

Web Search

POST https://prefy.com/api/v1/search

{"query": "latest AI news", "max_results": 5}

Returns Tavily search results with snippets.

Image Generation

POST https://prefy.com/api/v1/images/generate

{"prompt": "a sunset over mountains", "model": "flux-schnell"}

Returns base64 image. Uses Together AI FLUX Schnell (free tier).

Server Management

Provision and manage dedicated VPS servers.

  • POST /api/v1/servers/checkout — Create Stripe checkout for server plan
  • POST /api/v1/servers/command — Send command to server agent
  • GET /api/v1/servers/hetzner — List user's servers

Server Plans

PlanPriceSpecs
starter$9.99/mo2 vCPU, 2GB RAM, 40GB SSD
plus$14.99/mo4 vCPU, 8GB RAM, 80GB SSD
pro$29.99/mo8 vCPU, 16GB RAM, 160GB SSD

Agent Commands

Send via POST /api/v1/servers/command:

{"serverId": "...", "command": "stats"}

Available: stats, ollama list/pull/run/rm, cron list/add/remove, bot connect/stop/status, shell <cmd>

Agent API

POST https://prefy.com/api/v1/agent

Intelligent agent with memory, web search, intent detection.

{"message": "Find flights from Dubai to London next week", "userId": "..."}

Auto-detects intent: chat, search, flights, hotels, call.

AutoCall (Phone Calls)

POST https://prefy.com/api/v1/autocall

AI phone calls to restaurants/hotels (Vapi + ElevenLabs).

{
  "phone": "+971...",
  "venue_name": "Restaurant Name",
  "task": "Book table for 2, Friday 8pm",
  "language": "en"
}

Events & Activities

GET https://prefy.com/api/v1/events?city=Dubai

Returns upcoming events and activities for a city.

Rate Limits

TierRequests/day
Free10
Starter ($4.99/mo)100
Pro ($14.99/mo)500
BYOKUnlimited

Docs

Full documentation: https://prefy.com/docs

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…