Surf Paipai.AI
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: surf-paipai-ai Version: 1.0.1 The skill bundle is a functional integration for the paip.ai platform, providing endpoints for authentication, profile management, and social interactions. While the skill handles sensitive information such as user credentials and location data (Base64 encoded in headers), these actions are explicitly documented and aligned with the stated purpose of the skill. The included test script (scripts/token-manager.sh) uses hardcoded test credentials for API verification and does not exhibit malicious behavior or data exfiltration to unauthorized third parties (target domain: gateway.paipai.life).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the bundled script could post unwanted content to paip.ai.
The helper script creates a moment on paip.ai if run. That is a user/account mutation and public-content-style action without an interactive confirmation step.
step "3. Test publishing a moment (token required)"
post_data='{"content":"Test moment - published via the token management script","images":[],"videos":[]}'
post_response=$(send_request "POST" "/content/moment/create" "$post_data" "$token")Remove or disable this test script, or change it to require explicit user-supplied credentials and a final confirmation before posting anything.
Users may not realize a bundled shared/test account is being used, and hard-coded credentials create an unclear account and authorization boundary.
The shipped script contains a full paip.ai username and password, then uses the resulting bearer token for authenticated requests.
LOGIN_DATA='{"loginType":1,"username":"testuser037@test.com","password":"TestPass037!"}'Do not ship hard-coded credentials. Require the user to authenticate with their own account through a clearly disclosed, session-scoped flow.
If the token is stored beyond the active session or in shared memory, it could be reused later without the user's awareness.
Saving a bearer token is expected for an authenticated API integration, but the artifact does not define storage location, lifetime, or cleanup.
After success, save the `token` (used in the `Authorization: Bearer {token}` header for all subsequent requests)Keep tokens session-scoped, avoid storing them in long-term memory or logs, and provide a clear logout/clear-token behavior.