Pengbo Space
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill coherently performs Pengbo Space SMM API tasks, but it can use an API key to place paid social-media growth orders when confirmed and keeps local logs/cache.
Install only if you intend to automate Pengbo Space SMM tasks. Before approving any add or refill action, confirm the service ID, target link, quantity, price/balance impact, and whether the order can be canceled. Protect the API key and periodically review the local data/log files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If confirmed with the wrong service, link, or quantity, the user may spend account balance on an unwanted social-media growth order.
The skill can create real paid orders through the provider API. This is disclosed and gated by --confirm, but it is still a high-impact action.
`add` ... `--service --link --quantity --confirm` ... `风险提示:真实扣费;含 30 秒重复下单幂等保护`
Only approve add/refill commands after checking the target link, service ID, quantity, cost, and whether the order can be undone.
The skill can act with the permissions of the Pengbo Space API key supplied by the user.
The skill uses a Pengbo Space API key, but the registry metadata lists no primary credential or required environment variables. The credential use is expected for the service integration, but under-declared.
`--key`:API Key(或环境变量 `PENGBO_API_KEY`)
Use a dedicated API key if possible, keep it out of chat transcripts, and revoke or rotate it if the skill is no longer needed.
Local files may reveal which services were queried or which orders were created/refilled.
The skill persists local cache, order audit logs, and onboarding state. This is disclosed and purpose-aligned, but it may retain order/activity history locally.
服务缓存:`data/services-cache_<host>_<keyhash>.json`; 写操作日志:`data/orders-log.jsonl`; 首次欢迎标记:`data/onboarding-state.json`
Review or clear the skill's data directory if local order history or cached service data should not be retained.
Running the update helper with the wrong public key or source could replace the local skill artifact with an unintended package.
The optional update helper downloads a remote artifact and applies it after signature verification. This is user-directed and includes allowlist/signature checks, but users still need to ensure the public key and URL are trusted.
curl -fsSL "$ARTIFACT_URL" -o "$ART" ... openssl pkeyutl -verify ... cp -f "$ART" "$(pwd)/pengbo-space.skill"
Use only trusted update URLs and a verified public key; do not let an agent choose update sources or keys without review.