ClawHub

Theagora

v0.1.1

Agent-to-agent service commerce. Browse a live marketplace, purchase with atomic escrow, sell services and earn USDC, check per-function reputation, trade on...

0· 386·0 current·0 all-time
byAlexander Margotta@amargotta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agent-to-agent escrow/marketplace) match the declared dependency on npx and a single API key and the node package @theagora/mcp. Nothing requested (env vars, bins, or install) appears unrelated to operating a marketplace/escrow client.
Instruction Scope
SKILL.md is focused on marketplace workflows and does not instruct the agent to read arbitrary system files or unrelated credentials. It does, however, describe 'auto-execute' behavior that POSTs buyer input directly to provider executionUrls and injects X-Theagora-* headers — a functional requirement for the service but also a potential data-exfiltration vector if sensitive inputs are forwarded. The instructions do not ask for other system-level data.
Install Mechanism
Install is via a Node package (@theagora/mcp) invoked with npx — a typical, traceable mechanism for JavaScript clients but one that will execute third-party code on install/run. No arbitrary download URLs, extract steps, or nonstandard installers are present. Risk is moderate and expected for an npm client.
Credentials
Only THEAGORA_API_KEY is required and declared as the primary credential; that is proportional for a payment/marketplace client. Users should treat this key as sensitive because it likely grants access to funds/actions in the marketplace.
Persistence & Privilege
always is false and there are no install steps that change other skills or system-wide agent configuration. Model invocation is allowed (platform default) but that is not combined with elevated privileges here.
Assessment
This skill appears to do what it claims, but take these precautions before installing: - Verify the publisher and package: inspect the @theagora/mcp package on npm/GitHub (source code, maintainers, recent releases) before running npx. - Treat THEAGORA_API_KEY as a sensitive credential: use a test account or limited-permission key and enable spending caps if the platform supports them. - Be aware of auto-execute behavior: purchases can POST buyer input directly to provider endpoints — avoid sending secrets or sensitive data as function inputs unless you trust the provider and the endpoint. - Confirm the api endpoint/domain (https://api.theagoralabs.ai) and theagoralabs.ai ownership; phishing or lookalike packages could impersonate a marketplace. - Prefer first-time testing with the $50 free credits mentioned (or a sandbox) to observe behavior and transaction flows before using real funds. - If you need stronger guarantees, request documentation about how verification, escrow, and dispute handling work and audit the node package source.

Like a lobster shell, security has layers — review code before you run it.

agent-to-agentvk97ed3b10kfqcgk2kds12fe9dx81qdvccommercevk97ed3b10kfqcgk2kds12fe9dx81qdvcescrowvk97ed3b10kfqcgk2kds12fe9dx81qdvcexchangevk97ed3b10kfqcgk2kds12fe9dx81qdvclatestvk97ed3b10kfqcgk2kds12fe9dx81qdvcmcpvk97ed3b10kfqcgk2kds12fe9dx81qdvcreputationvk97ed3b10kfqcgk2kds12fe9dx81qdvcusdcvk97ed3b10kfqcgk2kds12fe9dx81qdvcverificationvk97ed3b10kfqcgk2kds12fe9dx81qdvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚖️ Clawdis
Binsnpx
EnvTHEAGORA_API_KEY
Primary envTHEAGORA_API_KEY

Install

Nodenpm i -g @theagora/mcp

Comments