PRISM API SDK
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: prismapi-sdk Version: 0.2.1 The OpenClaw AgentSkills bundle for 'prismapi-sdk' appears benign. The `SKILL.md` and `README.md` files clearly describe a financial data SDK, requiring `node` and `npm` for installation and execution, which is standard for a TypeScript SDK. All documented network calls are directed to `https://api.prismapi.ai`, the stated service endpoint. There is no evidence of prompt injection attempts against the agent, unauthorized data exfiltration, persistence mechanisms, or other malicious behaviors. The skill explicitly claims to be read-only, without wallet access or trading capabilities, and the provided content aligns with these claims.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or building those external packages can execute local Node/npm code and adds dependencies outside the reviewed artifacts.
The skill itself is instruction-only, so these user-directed external package/repo installs supply the executable SDK/MCP behavior. That is purpose-aligned, but users should verify provenance and versions before running JavaScript install/build steps.
npm install prismapi-sdk ... git clone https://github.com/Strykr-Prism/PRISM-MCP-Server.git ... npm install && npm run build
Install only from trusted npm/GitHub sources, pin versions when possible, and run setup in a project environment rather than globally.
A leaked or overused API key could allow API calls under the user's Prism account and consume quota or expose account-related usage information.
The SDK expects a Prism API key even though the registry metadata declares no primary credential or required env var. This is expected for a hosted data API, but users should handle the key carefully.
apiKey: 'your-api-key', // Required — get from api.prismapi.ai
Use secret storage or environment variables, prefer scoped/revocable keys if available, and avoid pasting API keys into prompts, logs, or shared files.
Incorrect or manipulated provider data could affect an agent's analysis or trading-related recommendations if used without validation.
The SDK advertises provider-supplied agent context and endpoint/schema discovery. This is purpose-aligned, but returned context or schemas can influence downstream agent behavior if treated as instructions.
Agent Context Injection ... const context = await prism.agent.getContext(); ... endpoint discovery (for dynamic tool generation)
Treat returned context, schemas, and market data as untrusted data; do not let it override user/system instructions or create new tool permissions without review.