Maay
Access ATXP paid API tools for web search, AI image generation, music creation, video generation, and X/Twitter search. Use when users need real-time web sea...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 474 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes accessing ATXP paid APIs (search, image, music, video, X) and the provided commands/programmatic snippets match that purpose. However the skill metadata (name 'Maay', slug 'sss', registry owner id) does not match the SKILL.md top-level name ('atxp') and the _meta.json ownerId differs from the registry owner — an incoherence. Also the runtime uses an ATXP_CONNECTION environment variable but the skill declares no required env vars.
Instruction Scope
Instructions tell the agent to run 'npx atxp login' and to 'source ~/.atxp/config' and to check $ATXP_CONNECTION. Sourcing a config file executes its contents in the shell and can run arbitrary code; relying on 'npx' fetches and runs code from the npm registry at runtime. The SKILL.md references an env var (ATXP_CONNECTION) and a home config path that are not declared in the skill metadata.
Install Mechanism
There is no install spec, but instructions rely on 'npx atxp' which will dynamically download and execute a package from the npm registry. Dynamic npx installs are effectively arbitrary remote code execution unless the package is known and verified. The skill provides no provenance (homepage, official package name verification) for the 'atxp' package.
Credentials
The SKILL.md expects an ATXP_CONNECTION credential (and suggests sourcing ~/.atxp/config) but the skill declares no required environment variables or primary credential. That mismatch is important: the agent will be instructed to load credentials not declared in the skill manifest. The skill will also send queries and prompts to external MCP servers listed in the doc.
Persistence & Privilege
The skill does not request 'always: true' and is not asking to modify other skills or global agent settings. However the login flow writes/sources ~/.atxp/config which could persist credentials and execute config content — users should be cautious about allowing automatic sourcing of files in their home directory.
What to consider before installing
This skill appears to wrap the ATXP CLI, which is plausible for the described features, but there are several red flags you should consider before installing or running it:
- Metadata mismatch: the package name in SKILL.md ('atxp') and owner IDs in _meta.json differ from the registry metadata (skill name/slug/owner). Ask the publisher to correct and justify these inconsistencies.
- Undeclared credential: SKILL.md references $ATXP_CONNECTION and ~/.atxp/config but the skill manifest declares no required env vars. Treat any skill that loads credentials not declared in its manifest as suspicious.
- Dynamic remote code: the recommended 'npx atxp login' will download and run an npm package at runtime. Only run this if you trust the package's publisher; inspect the package source first or run it in a sandbox.
- Sourcing user config: 'source ~/.atxp/config' executes that file. Inspect ~/.atxp/config before sourcing; do not source files from unknown packages without review.
- External endpoints: the MCP server domains (e.g., search.mcp.atxp.ai) will receive search queries and prompts. Do not send sensitive information to these endpoints unless you trust the service and have reviewed its privacy/security posture.
Actions you can take:
- Ask the skill author to update the manifest to declare ATXP_CONNECTION as a required env/primary credential and to correct owner/name/slug to match SKILL.md.
- Request a homepage or link to the 'atxp' npm package and verify the package contents and publisher identity on npm/GitHub before running 'npx atxp'.
- If you must test, run 'npx' and 'atxp login' in an isolated environment (VM/container) and inspect ~/.atxp/config before sourcing it.
- Prefer explicit programmatic API keys with limited scopes rather than auto-sourcing config files.
Given these inconsistencies and the fact the skill instructs the agent to fetch and execute remote code and source a user config, treat this skill as suspicious until the author provides corrected metadata and provenance.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
ATXP Tools
Access ATXP's paid API tools via CLI.
Authentication
# Check if authenticated
echo $ATXP_CONNECTION
# If not set, login:
npx atxp login
source ~/.atxp/config
Commands
| Command | Description |
|---|---|
npx atxp search <query> | Real-time web search |
npx atxp image <prompt> | AI image generation |
npx atxp music <prompt> | AI music generation |
npx atxp video <prompt> | AI video generation |
npx atxp x <query> | X/Twitter search |
Usage
- Verify
$ATXP_CONNECTIONis set - Run the appropriate command
- Parse and present results
Programmatic Access
import { atxpClient, ATXPAccount } from '@atxp/client';
const client = await atxpClient({
mcpServer: 'https://search.mcp.atxp.ai',
account: new ATXPAccount(process.env.ATXP_CONNECTION),
});
const result = await client.callTool({
name: 'search_search',
arguments: { query: 'your query' },
});
MCP Servers
| Server | Tool |
|---|---|
search.mcp.atxp.ai | search_search |
image.mcp.atxp.ai | image_create_image |
music.mcp.atxp.ai | music_create |
video.mcp.atxp.ai | create_video |
x-live-search.mcp.atxp.ai | x_live_search |
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…