PRISM OS SDK

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill mostly looks like a financial data SDK, but supplied docs also describe agent-controlled trade execution with a wallet signer despite read-only claims.

Review this skill before installing or enabling it in an autonomous agent. It may be safe as a read-only data SDK, but only use data endpoints unless you have confirmed the execute module cannot trade; never give it wallet signer access unless you intentionally want transactions and have explicit approval controls.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI09: Human-Agent Trust Exploitation

What this means

A user could install or enable the skill believing it cannot trade or touch wallets, while related docs describe capabilities that could affect real funds if implemented or exposed.

Why it was flagged

These are strong safety assurances, but another supplied artifact describes an agent trade-execution flow using executeSwap and a signer, so users may reasonably be misled about whether the SDK is strictly read-only.

Skill content

- **Read-only API** — fetches public market data only
- **No wallet access** — does not interact with wallets or private keys
- **No trading execution** — execute modules are for quote simulation only, not live trades

Recommendation

Clarify whether current shipped code can ever execute swaps or use wallet signers; if it is truly read-only, remove or clearly label execution docs as non-shipped future roadmap.

High

#ASI02: Tool Misuse and Exploitation

What this means

If execute tools are enabled for an agent, a prompt or bad workflow could move beyond data lookup into high-impact financial actions.

Why it was flagged

The integration example shows agent tool registration including an execute module, which is not clearly limited to quote simulation in this artifact and conflicts with the read-only positioning.

Skill content

.getToolManifest()  // Auto-registers all 44 tools
    .tools
    .filter(t => ['market', 'defi', 'execute'].includes(t.module))

Recommendation

Default to registering only read-only market/data modules, require explicit user approval before any execution-capable tool is enabled, and document exact limits of the execute module.

High

#ASI03: Identity and Privilege Abuse

What this means

Providing a wallet signer to an agent-controlled SDK can authorize transactions and potentially cause financial loss if boundaries are unclear.

Why it was flagged

A signer implies wallet transaction authority, but the skill metadata only declares PRISM_API_KEY and SKILL.md says there is no wallet access or live trading.

Skill content

[5] dex.executeSwap(quote, signer)
    → txHash: 0x..., filled: 0.3087 ETH

Recommendation

Do not provide wallet signers or private-key access unless you intentionally want trading; the publisher should declare any wallet/signer requirements and add strict confirmation and scoping guidance.