Maay
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s ATXP purpose is clear, but it relies on an undeclared local paid-account credential and unpinned external npm/CLI code, so users should review it before use.
Install only if you trust the ATXP npm package and provider endpoints. Before use, confirm which ATXP account is loaded in `ATXP_CONNECTION`, understand any paid usage or credit consumption, and avoid sending sensitive prompts unless you accept ATXP’s data handling.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use a paid ATXP account/session to make API calls, which could expose queries/prompts to that provider and potentially consume paid credits.
The skill depends on a local ATXP account connection and config profile for paid API access, while the provided requirements list no required environment variables or primary credential.
Requires authentication via `npx atxp login` ... echo $ATXP_CONNECTION ... source ~/.atxp/config
Only use this after confirming the ATXP account and credential are intended for this agent session; the skill metadata should declare the credential and users should require confirmation before paid calls.
Running the documented commands may execute external package code that was not reviewed in this artifact set, including during authentication.
The skill’s behavior depends on external npm packages/CLI code that are not included, pinned, or covered by an install spec, so the reviewed artifacts do not show the code that will actually run.
`npx atxp login` ... `npx atxp search <query>` ... `import { atxpClient, ATXPAccount } from '@atxp/client';`Verify the official ATXP package source, pin trusted versions, and prefer a reviewed install spec or lockfile before allowing the agent to run these commands.
Search terms, prompts, and generated-media requests may be shared with ATXP services.
The skill discloses that queries and generation prompts are sent to external ATXP MCP/provider endpoints, which is expected for its purpose but relevant for privacy.
mcpServer: 'https://search.mcp.atxp.ai' ... `image.mcp.atxp.ai` ... `music.mcp.atxp.ai` ... `video.mcp.atxp.ai` ... `x-live-search.mcp.atxp.ai`
Avoid sending sensitive or confidential prompts unless ATXP’s privacy and retention terms are acceptable.