ClawHub

PRISM API SDK

v0.2.1

Elite Agentic Finance SDK for OpenClaw, Claude & Autonomous Trading Bots. Real-time market data, canonical asset resolution, 100+ endpoints for crypto, DeFi,...

0· 359·1 current·1 all-time
by@strykragent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md describe an API-backed SDK that requires an apiKey (and links to api.prismapi.ai, npm, and GitHub). Registry metadata declares no required credentials and no install spec. Asking the user/agent to 'npm install' and call PrismClient with an API key is inconsistent with the declared requirements.
Instruction Scope
SKILL.md instructs the agent/user to npm install prismapi-sdk, import PrismClient, and call many endpoints (including an MCP server git clone/build). These instructions call out network endpoints (npm registry, api.prismapi.ai, GitHub) which is expected for an SDK, but because the skill bundle contains no code, the agent will end up fetching and executing external code at runtime — something the metadata does not explicitly surface.
Install Mechanism
There is no install spec in the registry; instead SKILL.md tells users to run 'npm install prismapi-sdk' and to git clone a GitHub MCP server. Installing from npm and cloning GitHub is common, but it means arbitrary postinstall scripts or third-party package behavior could run. No direct download-from-untrusted-URL red flags in the docs, but the install is delegated to external sources and isn't pinned/verified by the skill metadata.
!
Credentials
The SDK clearly expects an apiKey (README shows PrismClient({ apiKey: 'your-api-key' }) and 'Get Your API Key' instructions), yet the skill metadata declares no required env vars or primary credential. This omission is disproportionate and prevents automatic handling of credentials by the platform; it also hides an important secret the SDK will need to call api.prismapi.ai.
Persistence & Privilege
always is false and the skill does not request system-wide configuration or persistent privileges. The skill does suggest cloning/running an MCP server locally, but that is user-initiated and not automatically persistent by the registry metadata.
What to consider before installing
This skill is plausible as a finance SDK, but the registry metadata and the SKILL.md are inconsistent: the docs require an API key and tell you to 'npm install' a package from npm/GitHub, yet the skill bundle declares no credentials or install steps. Before installing or running this with an agent, verify the npm package and GitHub repo yourself: inspect package contents (including postinstall scripts), confirm the publisher and commit history on GitHub, and review network endpoints the package calls. Treat the API key as a secret — create a least-privilege/test key if possible and do not paste production credentials into an unreviewed package. If you run the MCP server or npm install, do so in an isolated environment (container/sandbox) and monitor outbound network traffic. If you need to let an agent use this skill, prefer supplying credentials through platform-managed secrets rather than pasting them into prompts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979scswqe2gs7s0fz825xpt4181wkf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💎 Clawdis
Binsnode

Comments