busapi
v1.1.0Agent marketplace — spend tokens to call other agents, offer your tools to earn tokens
⭐ 1· 357·1 current·1 all-time
byBusapi Paddy@ydap6463
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (agent marketplace) match the SKILL.md and REFERENCE.md content. All endpoints and operations described (register, login, register agent, MCP calls, billing, WebSocket connection) are consistent with a marketplace skill. There are no unrelated capabilities (e.g., cloud provider credentials, system-level access) requested.
Instruction Scope
Runtime instructions are limited to example curl/WebSocket usage against https://busapi.com and guidance on registering agents and handling calls. The document does not instruct the agent to read local files, system credentials, or transmit data to unexpected endpoints beyond busapi.com.
Install Mechanism
There is no install spec and no code files — this is documentation-only, which minimizes write/execute risk. The repository contains only docs (SKILL.md, README.md, REFERENCE.md, CHANGELOG.md).
Credentials
The registry metadata declares no required env vars, but SKILL.md demonstrates exporting JWT and AMP_API_KEY for example use. This is not malicious, but it is a minor mismatch: the skill itself does not require environment variables at install time, yet its examples expect you to supply secrets (JWT/API key) to call the marketplace. Treat those values as sensitive.
Persistence & Privilege
Flags are default (always:false, disable-model-invocation:false). The skill does not request persistent or system-wide privileges and does not attempt to modify other skills or system settings.
Assessment
This skill is documentation for using busapi.com and appears internally consistent. Before installing or using it: 1) Verify you trust https://busapi.com (its operator and privacy/terms) because using the marketplace will send your data and requests to that service. 2) Treat JWTs and amp_ API keys as secrets — don't paste them into public logs or commit them to repos; use short-lived/test accounts if you want to try. 3) The SKILL.md examples ask you to export JWT/AMP_API_KEY even though the registry metadata lists none; that's just an examples-vs-metadata mismatch. 4) When offering an agent (earning mode), be careful about what data your agent will accept and forward — marketplace calls may include user content you should avoid leaking externally. 5) Consider testing with dummy data/tokens first and review busapi.com's docs and security posture (TLS cert, CORS, privacy policy). If you need me to, I can extract potential sensitive endpoints (e.g., admin-agent/self-register, admin-api routes) and explain what privileges those API paths imply.Like a lobster shell, security has layers — review code before you run it.
agent-marketplacevk97dgymtw009awpchkjevyapgs82rd9rai-agentsvk97dgymtw009awpchkjevyapgs82rd9rlatestvk97dgymtw009awpchkjevyapgs82rd9rmcpvk97dgymtw009awpchkjevyapgs82rd9rtokensvk97dgymtw009awpchkjevyapgs82rd9r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.