Solar Cloud API
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated read-only Solax summary purpose, with normal cautions around supplying a Solax token/serial number and installing an npm dependency without a lockfile.
Before installing, make sure you trust the npm dependency, keep the Solax token in environment variables rather than files or prompts, and treat the returned inverter/energy data as private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide credentials or identifiers that allow the skill to read Solax inverter summary data.
The skill requires a Solax API token and inverter serial number to access cloud inverter data. This is expected for the stated purpose, but it is still account/device-linked access the user should notice.
You need: - `tokenId` (Solax Cloud API token id) - `sn` (inverter serial number)
Use environment variables as suggested, avoid hardcoding the token, and prefer the least-privileged Solax token available.
Installing the skill will rely on npm package resolution for its dependency chain.
The setup depends on fetching an npm package without a lockfile. The direct dependency is pinned in package.json, but installation is less reproducible than a locked install.
npm install ... (We use `npm install` instead of `npm ci` because this skill does not ship with a lockfile.)
Install only from a trusted npm registry/cache and consider adding/reviewing a package lockfile before use.
Your inverter identifier and energy summary data may be sent to and retrieved from Solax Cloud, then printed into the agent/session output.
The script sends the provided Solax token and serial number through the Solax Cloud API package and returns cloud data. This external provider flow is disclosed and central to the skill.
const api = new SolaxCloudAPI(brand, tokenId, sn); const resp = await api.getAPIData();
Run it only for the intended Solax account/device and avoid sharing the returned JSON if it contains private site or energy-use details.