Access ATXP paid API tools for web search, AI image generation, music creation, video generation, X/Twitter search, email, and agent account management. Use...
Security Analysis
medium confidenceThe skill's described functionality matches the npx-based CLI it documents, but the runtime instructions reference local config and an environment variable (and rely on npx downloading code) without declaring those requirements — this is an incoherence that could expose credentials or cause unexpected code execution.
The SKILL.md describes an npx-based CLI (search, image, music, video, email, agent management) so the claimed capabilities align with the instructions. However the skill metadata declares no required binaries, env vars, or credentials even though the instructions require npx usage, a locally sourced config (~/.atxp/config), and an ATXP connection string. The omission of these runtime dependencies is inconsistent and concerning.
Runtime instructions explicitly tell the user/agent to echo $ATXP_CONNECTION and to source ~/.atxp/config. That reads local configuration and environment state (likely containing credentials/tokens) which are outside the skill metadata. The instructions also guide creating and funding agent wallets and using payment links, which are high-impact actions that require user caution. The SKILL.md grants broad runtime discretion to run npx commands that fetch and execute remote packages.
There is no install spec in metadata, but the instructions rely on npx atxp — npx will fetch and execute a package from the npm registry at runtime. That means arbitrary code will be downloaded/executed when commands run. The skill provides no provenance (homepage is none) or package publisher details to verify the npm package; this increases risk.
The skill metadata lists no required environment variables, yet the instructions expect $ATXP_CONNECTION and a sourced ~/.atxp/config which likely contain sensitive tokens/connection strings. That mismatch is a red flag: the skill asks you to expose local secrets without declaring them. The skill also enables creating agents with wallets and funding flows (USDC, Stripe links), which involve financial actions and should be treated as sensitive.
The skill is not always-on and allows autonomous invocation (platform default). It does not request to modify other skills or system-wide settings. However, the ability to self-register agents, create wallets, and generate payment links increases the potential impact if misused; combine this with the npx execution and undisclosed config access to raise caution.
Guidance
Before installing or running this skill: 1) Be aware that the SKILL.md tells you to run npx atxp — npx will download and execute code from npm at runtime. Only proceed if you trust the package publisher; inspect the package source (npm/GitHub) first. 2) The instructions ask you to source ~/.atxp/config and to check $ATXP_CONNECTION even though the skill metadata declares no credentials; inspect that file to see what secrets it contains and avoid blindly sourcing it into a shell. 3) Treat agent creation and funding flows as financial actions: verify destination wallets/Stripe links and never send funds unless you fully trust the service. 4) If you want to test, run npx / the package in an isolated environment (temporary VM or container) and review the package contents before executing. 5) Prefer skills with declared requirements and a verifiable homepage/repository; the lack of a homepage and missing dependency declarations is an unresolved risk. If you can obtain the npm package name, repository, or vendor verification and review the source, that information would materially increase confidence.
Latest Release
v1.0.1
Expanded feature set with new email and agent account management tools. - Added full ATXP email functionality: inbox management, send/receive, attachments, search, username claiming, and more. - Introduced agent account creation, balance checking, funding options, and agent management commands. - Detailed instructions for account balance, funding, and top-up via Stripe payment link. - Included best practices and support contact method using the new email commands. - Updated tool descriptions, command list, and usage sections for better guidance.
Popular Skills
Published by @emilioacc on ClawHub
