PRISM API SDK
PassAudited by ClawScan on May 1, 2026.
Overview
The provided files describe a read-only market-data SDK, with the main things to review being its external JavaScript install path and required Prism API key.
Before installing, verify the npm package and optional MCP server repository, use a separate/revocable Prism API key, and keep agent use bounded to read-only data analysis unless you add separate trading safeguards.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or building those external packages can execute local Node/npm code and adds dependencies outside the reviewed artifacts.
The skill itself is instruction-only, so these user-directed external package/repo installs supply the executable SDK/MCP behavior. That is purpose-aligned, but users should verify provenance and versions before running JavaScript install/build steps.
npm install prismapi-sdk ... git clone https://github.com/Strykr-Prism/PRISM-MCP-Server.git ... npm install && npm run build
Install only from trusted npm/GitHub sources, pin versions when possible, and run setup in a project environment rather than globally.
A leaked or overused API key could allow API calls under the user's Prism account and consume quota or expose account-related usage information.
The SDK expects a Prism API key even though the registry metadata declares no primary credential or required env var. This is expected for a hosted data API, but users should handle the key carefully.
apiKey: 'your-api-key', // Required — get from api.prismapi.ai
Use secret storage or environment variables, prefer scoped/revocable keys if available, and avoid pasting API keys into prompts, logs, or shared files.
Incorrect or manipulated provider data could affect an agent's analysis or trading-related recommendations if used without validation.
The SDK advertises provider-supplied agent context and endpoint/schema discovery. This is purpose-aligned, but returned context or schemas can influence downstream agent behavior if treated as instructions.
Agent Context Injection ... const context = await prism.agent.getContext(); ... endpoint discovery (for dynamic tool generation)
Treat returned context, schemas, and market data as untrusted data; do not let it override user/system instructions or create new tool permissions without review.