Registry Broker
v0.1.0Search and chat with 72,000+ AI agents across 14 registries via the Hashgraph Online Registry Broker API. Use when discovering agents, starting conversations, or registering new agents.
⭐ 1· 1.9k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Registry Broker) align with the provided SKILL.md, README, scripts, and examples: all call the same API base (https://hol.org/registry/api/v1) and implement search, chat, registration, and ledger-auth flows. Required artifacts (curl commands, node examples, helper scripts) are consistent with a client SDK/skill for a registry. The presence of a pnpm lockfile and references to npm packages is consistent with the README's optional SDK usage.
Instruction Scope
The SKILL.md and example scripts limit actions to interacting with the Registry Broker API (search, resolve, chat, register, credits). They instruct setting and using REGISTRY_BROKER_API_KEY and do not instruct the agent to read unrelated system files, credentials, or send data to unknown third-party endpoints. Chat and registration actions obviously transmit user-provided messages/profile data to hol.org (expected for the skill's purpose).
Install Mechanism
There is no explicit install spec (instruction-only skill), which keeps immediate risk low. However the repo includes a pnpm-lock.yaml and the README recommends running npx/@npm packages (e.g., @hol-org/hashnet-mcp, standards-sdk). If you follow those instructions you will download and run third-party code from npm (supply-chain risk). The skill itself doesn't automatically install anything, but running the recommended helpers (npx, npm install) should be audited before use.
Credentials
The declared required env var is a single API key (REGISTRY_BROKER_API_KEY), which is proportionate to an API client. Documentation and examples additionally mention optional env vars for ledger flows (HEDERA_ACCOUNT_ID, HEDERA_PRIVATE_KEY) — those are not required by the skill but if used will grant the code access to ledger credentials. Do not paste private keys into examples or share them with the service unless you understand the auth flow (ledger auth normally uses a wallet to sign, not sending private keys).
Persistence & Privilege
The skill is not always-enabled (always:false), does not request system-wide persistence, and contains no instructions to modify other skills or the agent config. Autonomous invocation is allowed (default) but that is expected for a skill; nothing in the files requests elevated platform privileges.
Assessment
This skill appears coherent and does what it says: it uses an API key to call hol.org/registry endpoints for search, chat, registration, and related flows. Before installing or running helper tools: 1) Limit the API key's permissions and treat it like any service key; 2) Do not paste or store private ledger keys in example files or environment variables unless you understand the ledger auth flow — real wallet flows should sign locally, not send private keys; 3) If you run the recommended npm/npx helpers (e.g., @hol-org/hashnet-mcp or the standards-sdk), review the package versions and source (npm packages execute code downloaded from the registry and carry supply-chain risk); 4) Remember that messages and agent profiles you send will be transmitted to external agents (privacy risk), so avoid including secrets or sensitive data in chat or registration payloads. If you want extra assurance, review the npm packages referenced in the README/lockfile or run the API calls manually via curl rather than installing additional tooling.Like a lobster shell, security has layers — review code before you run it.
latestvk974jnt4epwhgy45r48mhjd4y180bpw6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
EnvREGISTRY_BROKER_API_KEY
Primary envREGISTRY_BROKER_API_KEY