秒秒AI助理
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a normal third-party AI API wrapper, but users should know their prompts are sent to Link-AI and the API-key setup is under-declared and somewhat inconsistent.
This skill is acceptable to use if you intend to call the Link-AI/Miaomiao service. Before installing, confirm the correct API-key environment variables, use a dedicated key if possible, and avoid sending sensitive personal, business, or credential data through the skill unless you trust the provider.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill needs a Link-AI/Miaomiao API credential to work, so installing users should understand which account and key are being used.
The client uses an API key from the environment as a bearer token. This is expected for a third-party API integration, but the registry metadata declares no primary credential or required environment variables.
self.api_key = api_key or os.getenv("MIAOMIAO_API_KEY") ... 'Authorization': f'Bearer {self.api_key}'Use a dedicated API key with limited scope if available, and confirm whether the correct environment variable is MIAOMIAO_API_KEY or LINKAI_API_KEY before use.
Questions, summaries, route queries, or other user-provided text may be shared with the external AI service.
User messages are sent over HTTPS to the configured external API host, defaulting to api.link-ai.tech. This is central to the skill’s purpose, but it means prompt content leaves the local agent environment.
conn = http.client.HTTPSConnection(self.api_url, timeout=timeout) ... conn.request("POST", "/v1/chat/completions", payload, headers)Do not submit secrets, private documents, or regulated data unless you trust the Link-AI service and its data handling terms.
Users may need to install a dependency manually, and the exact package version is not specified.
The README requires a Python dependency, but the skill has no install spec and the dependency is not pinned. This is a minor setup/provenance clarity issue for a code-assisted skill.
pip install python-dotenv
Install dependencies from trusted package sources and consider pinning python-dotenv to a known version in a reviewed environment.