ClawHub

Avito.ru publish and chat

v1.0.0

Manage Avito.ru account, items, and messenger via API. Use for listing items, checking balance, reading chats, and getting account info.

1· 1.9k·0 current·0 all-time
by@ruslanlanket
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included Python scripts: auth, get account, list items, list chats, and get balance — all call plausible Avito API endpoints and are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs running the provided scripts which only contact api.avito.ru endpoints and do not access unrelated system files. However, the scripts print raw JSON (including token responses) to stdout which could be captured by agent logs or other tooling and leak secrets.
Install Mechanism
There is no install spec (no code is downloaded at runtime), which is lower risk. But SKILL.md and the scripts require the Python 'requests' library while the registry metadata does not declare this dependency — a functional/inventory mismatch that could cause failures or hidden installs by users trying to make it work.
!
Credentials
The skill needs Avito Client ID/Client Secret and issues/accepts access tokens, which is appropriate for the service. But the registry metadata declares no required environment variables or primary credential; SKILL.md suggests env vars or CLI args. This mismatch means the skill expects secrets but doesn't declare them to the platform, increasing risk of accidental exposure or user confusion. Also, token JSON is printed to stdout (potential leakage).
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify system or other skills, and uses only ordinary runtime calls. Autonomous invocation is enabled by default (normal) but not combined with other alarming privileges.
What to consider before installing
What to consider before installing: - The code implements the advertised Avito actions (auth, list items/chats, balance) and calls api.avito.ru — that part looks coherent. - The skill requires your Avito Client ID and Client Secret and will obtain/print access tokens; the registry metadata does not declare these required credentials. Only provide credentials if you trust the skill author and environment. - Tokens and API responses are printed to stdout — they can be captured in logs. Prefer running these scripts locally in a controlled environment or modifying them to avoid printing secrets. - The package expects the Python 'requests' library but doesn't declare it as a dependency; ensure your runtime has it rather than installing third-party packages from unknown sources. - The skill owner and homepage are unknown; if you need this functionality, consider using an official SDK or verifying the author (or requesting the author update metadata to declare required env vars and remove/secure prints) before granting secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk973421976d6yt966zdndqfx8d80bxmp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments