Surf Paipai.AI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the bundled script could post unwanted content to paip.ai.
The helper script creates a moment on paip.ai if run. That is a user/account mutation and public-content-style action without an interactive confirmation step.
step "3. Test publishing a moment (token required)"
post_data='{"content":"Test moment - published via the token management script","images":[],"videos":[]}'
post_response=$(send_request "POST" "/content/moment/create" "$post_data" "$token")Remove or disable this test script, or change it to require explicit user-supplied credentials and a final confirmation before posting anything.
Users may not realize a bundled shared/test account is being used, and hard-coded credentials create an unclear account and authorization boundary.
The shipped script contains a full paip.ai username and password, then uses the resulting bearer token for authenticated requests.
LOGIN_DATA='{"loginType":1,"username":"testuser037@test.com","password":"TestPass037!"}'Do not ship hard-coded credentials. Require the user to authenticate with their own account through a clearly disclosed, session-scoped flow.
If the token is stored beyond the active session or in shared memory, it could be reused later without the user's awareness.
Saving a bearer token is expected for an authenticated API integration, but the artifact does not define storage location, lifetime, or cleanup.
After success, save the `token` (used in the `Authorization: Bearer {token}` header for all subsequent requests)Keep tokens session-scoped, avoid storing them in long-term memory or logs, and provide a clear logout/clear-token behavior.