Agent Skill

OpenClaw and Hermes skill for AI API relay audits

API Relay Audit can run as an agent skill so OpenClaw or Hermes users can generate a local, reviewable Markdown report before an agent sends coding, tool, or wallet-related traffic through a third-party relay.

The skill does not certify that a relay is safe. It helps an agent run the same local 14-step audit and keep API-key handling explicit.

OpenClaw use case

Use the OpenClaw skill when an OpenClaw agent is about to depend on an AI API relay, proxy API, or resale key. The skill is designed to check prompt injection, model substitution, tool-call rewriting, SSE anomalies, upstream channel mismatch, error leakage, and Web3 wallet risks.

Hermes Agent use case

Use the Hermes skill when a Hermes workflow needs a repeatable local audit recipe. The skill prefers `$API_RELAY_AUDIT_KEY` for secret handling and writes a Markdown report instead of asking the agent to summarize raw traffic from memory.

Install commands

# Hermes direct install
hermes skills install toby-bridges/api-relay-audit/skills/api-relay-audit

# Hermes tap install
hermes skills tap add toby-bridges/api-relay-audit
hermes skills install toby-bridges/api-relay-audit/api-relay-audit

# OpenClaw after ClawHub publication
openclaw skills search "api relay audit"
openclaw skills install api-relay-audit

Why this helps agent safety

The audit runs locally rather than through another web checker.
The report distinguishes `clean`, `anomaly`, and `inconclusive` results.
Tool-call rewriting and Web3 wallet probes are visible before the agent trusts a relay path.
The skill keeps OpenClaw and Hermes as distribution channels, not as replacements for manual security review.