APM 인증 센터 API
PassAudited by ClawScan on May 10, 2026.
Overview
This is a documentation-only APM authentication API skill; its main risk is expected handling of login credentials, tokens, and verification-code requests.
This skill appears coherent and documentation-only. Before using it, verify that the APM API URL is the service you intend to use, provide only credentials or tokens you are comfortable delegating to the agent, and confirm actions that send SMS/email codes or may create accounts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses a token with admin, supplier, merchant, or user privileges, it may act with that account's authority for the documented APM authentication APIs.
The skill explicitly requires and uses an APM access token for authenticated API calls.
metadata.openclaw.requires.env: - APM_USER_TOKEN ... 인증 헤더: `authcode: "HH " + access_token`
Use a least-privileged APM token, avoid sharing admin credentials unless necessary, and rotate or revoke the token if it may have been exposed.
Using these endpoints can trigger real verification messages and may affect user or merchant login flows.
The skill documents write-style API calls that can send SMS verification codes to phone numbers.
POST 요청 본문: { area_code, iso_alpha2, tel, type } ... type=1: 사용자 로그인, type=2: 판매자 로그인Only ask the agent to send verification codes to phone numbers or emails you control, and confirm before making these requests.
A login attempt could create a new account as a side effect if the user provides an email that is not already registered.
The documented email login flow may automatically register a user account if one does not already exist.
사용자 이메일 인증 코드 로그인 (계정이 없으면 자동 회원가입).
Confirm the intended account and registration behavior before using email or phone login endpoints.