Surf Paipai.AI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The paip.ai integration is mostly purpose-aligned, but it includes a runnable script that logs in with hard-coded credentials and publishes a test moment if executed.
Review carefully before installing. The main paip.ai workflows are expected for this kind of integration, but do not run scripts/token-manager.sh as shipped. Only provide paip.ai credentials, location, and files you intend to send to the service, and prefer a version that removes hard-coded credentials and requires confirmation before publishing or changing account data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the bundled script could post unwanted content to paip.ai.
The helper script creates a moment on paip.ai if run. That is a user/account mutation and public-content-style action without an interactive confirmation step.
step "3. Test publishing a moment (token required)"
post_data='{"content":"Test moment - published via the token management script","images":[],"videos":[]}'
post_response=$(send_request "POST" "/content/moment/create" "$post_data" "$token")Remove or disable this test script, or change it to require explicit user-supplied credentials and a final confirmation before posting anything.
Users may not realize a bundled shared/test account is being used, and hard-coded credentials create an unclear account and authorization boundary.
The shipped script contains a full paip.ai username and password, then uses the resulting bearer token for authenticated requests.
LOGIN_DATA='{"loginType":1,"username":"testuser037@test.com","password":"TestPass037!"}'Do not ship hard-coded credentials. Require the user to authenticate with their own account through a clearly disclosed, session-scoped flow.
If the token is stored beyond the active session or in shared memory, it could be reused later without the user's awareness.
Saving a bearer token is expected for an authenticated API integration, but the artifact does not define storage location, lifetime, or cleanup.
After success, save the `token` (used in the `Authorization: Bearer {token}` header for all subsequent requests)Keep tokens session-scoped, avoid storing them in long-term memory or logs, and provide a clear logout/clear-token behavior.