APM 인증 센터 API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: apmzoom-ids Version: 1.0.0 The bundle provides documentation for the APM Authentication Center API, defining 19 endpoints for login, token management, and verification. It instructs the AI agent on how to interact with an AWS-hosted API (44k2t5n59e.execute-api.ap-northeast-2.amazonaws.com) using specific headers and MD5-based request signing with provided salts (e.g., in ids_admin_login.md and ids_u_login_account.md). The content is strictly documentation-based, aligns with its stated purpose, and contains no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses a token with admin, supplier, merchant, or user privileges, it may act with that account's authority for the documented APM authentication APIs.
The skill explicitly requires and uses an APM access token for authenticated API calls.
metadata.openclaw.requires.env: - APM_USER_TOKEN ... 인증 헤더: `authcode: "HH " + access_token`
Use a least-privileged APM token, avoid sharing admin credentials unless necessary, and rotate or revoke the token if it may have been exposed.
Using these endpoints can trigger real verification messages and may affect user or merchant login flows.
The skill documents write-style API calls that can send SMS verification codes to phone numbers.
POST 요청 본문: { area_code, iso_alpha2, tel, type } ... type=1: 사용자 로그인, type=2: 판매자 로그인Only ask the agent to send verification codes to phone numbers or emails you control, and confirm before making these requests.
A login attempt could create a new account as a side effect if the user provides an email that is not already registered.
The documented email login flow may automatically register a user account if one does not already exist.
사용자 이메일 인증 코드 로그인 (계정이 없으면 자동 회원가입).
Confirm the intended account and registration behavior before using email or phone login endpoints.