← Back to Skills Marketplace
syveraerp

Maay

by syveraerp · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
728
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sss
Description
Access ATXP paid API tools for web search, AI image generation, music creation, video generation, and X/Twitter search. Use when users need real-time web sea...
Usage Guidance
This skill appears to wrap the ATXP CLI, which is plausible for the described features, but there are several red flags you should consider before installing or running it: - Metadata mismatch: the package name in SKILL.md ('atxp') and owner IDs in _meta.json differ from the registry metadata (skill name/slug/owner). Ask the publisher to correct and justify these inconsistencies. - Undeclared credential: SKILL.md references $ATXP_CONNECTION and ~/.atxp/config but the skill manifest declares no required env vars. Treat any skill that loads credentials not declared in its manifest as suspicious. - Dynamic remote code: the recommended 'npx atxp login' will download and run an npm package at runtime. Only run this if you trust the package's publisher; inspect the package source first or run it in a sandbox. - Sourcing user config: 'source ~/.atxp/config' executes that file. Inspect ~/.atxp/config before sourcing; do not source files from unknown packages without review. - External endpoints: the MCP server domains (e.g., search.mcp.atxp.ai) will receive search queries and prompts. Do not send sensitive information to these endpoints unless you trust the service and have reviewed its privacy/security posture. Actions you can take: - Ask the skill author to update the manifest to declare ATXP_CONNECTION as a required env/primary credential and to correct owner/name/slug to match SKILL.md. - Request a homepage or link to the 'atxp' npm package and verify the package contents and publisher identity on npm/GitHub before running 'npx atxp'. - If you must test, run 'npx' and 'atxp login' in an isolated environment (VM/container) and inspect ~/.atxp/config before sourcing it. - Prefer explicit programmatic API keys with limited scopes rather than auto-sourcing config files. Given these inconsistencies and the fact the skill instructs the agent to fetch and execute remote code and source a user config, treat this skill as suspicious until the author provides corrected metadata and provenance.
Capability Analysis
Type: OpenClaw Skill Name: sss Version: 1.0.0 The SKILL.md file instructs the AI agent to execute `source ~/.atxp/config` as part of its authentication flow. This command executes arbitrary shell commands from the specified file in the user's home directory. This is a critical arbitrary code execution vulnerability, as the content of `~/.atxp/config` could be controlled by an attacker (e.g., via a compromised `npx atxp login` package or prior system compromise), allowing the agent to execute malicious commands without explicit malicious intent in the provided skill definition.
Capability Assessment
Purpose & Capability
The SKILL.md describes accessing ATXP paid APIs (search, image, music, video, X) and the provided commands/programmatic snippets match that purpose. However the skill metadata (name 'Maay', slug 'sss', registry owner id) does not match the SKILL.md top-level name ('atxp') and the _meta.json ownerId differs from the registry owner — an incoherence. Also the runtime uses an ATXP_CONNECTION environment variable but the skill declares no required env vars.
Instruction Scope
Instructions tell the agent to run 'npx atxp login' and to 'source ~/.atxp/config' and to check $ATXP_CONNECTION. Sourcing a config file executes its contents in the shell and can run arbitrary code; relying on 'npx' fetches and runs code from the npm registry at runtime. The SKILL.md references an env var (ATXP_CONNECTION) and a home config path that are not declared in the skill metadata.
Install Mechanism
There is no install spec, but instructions rely on 'npx atxp' which will dynamically download and execute a package from the npm registry. Dynamic npx installs are effectively arbitrary remote code execution unless the package is known and verified. The skill provides no provenance (homepage, official package name verification) for the 'atxp' package.
Credentials
The SKILL.md expects an ATXP_CONNECTION credential (and suggests sourcing ~/.atxp/config) but the skill declares no required environment variables or primary credential. That mismatch is important: the agent will be instructed to load credentials not declared in the skill manifest. The skill will also send queries and prompts to external MCP servers listed in the doc.
Persistence & Privilege
The skill does not request 'always: true' and is not asking to modify other skills or global agent settings. However the login flow writes/sources ~/.atxp/config which could persist credentials and execute config content — users should be cautious about allowing automatic sourcing of files in their home directory.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install sss
  3. After installation, invoke the skill by name or use /sss
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of ATXP tools integration. - Enables access to ATXP’s paid API tools via CLI for web search, AI image, music, video generation, and X/Twitter search. - Requires authentication with npx atxp login. - Provides both CLI commands and programmatic usage examples. - Lists available MCP servers and corresponding tools.
Metadata
Slug sss
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Maay?

Access ATXP paid API tools for web search, AI image generation, music creation, video generation, and X/Twitter search. Use when users need real-time web sea... It is an AI Agent Skill for Claude Code / OpenClaw, with 728 downloads so far.

How do I install Maay?

Run "/install sss" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Maay free?

Yes, Maay is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Maay support?

Maay is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Maay?

It is built and maintained by syveraerp (@syveraerp); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments