public-opinion-insights
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key and analysis request could be exposed on the network or used through an implicit fallback credential path, depending on where the agent runs.
The reviewed code obtains or uses MIDU_API_KEY and sends it as a bearer token to a plain-HTTP endpoint, with an automatic /apiKey fallback when the environment variable is missing.
API_BASE_URL = "http://intra-znjs-yqt-agent-wx-beta.midu.cc" ... url = f"{base_url}/apiKey" ... headers["Authorization"] = "Bearer %s" % api_keyUse an HTTPS endpoint, make the /apiKey fallback explicit or remove it, and document exactly when credentials are fetched and sent.
Users have less external context for confirming that this internal Midu endpoint and package are the intended release.
The skill source and homepage are not provided, making publisher provenance harder to verify even though the included code is small and directly reviewable.
Source: unknown; Homepage: none
Install only if you trust the publisher and endpoint; maintainers should add a source URL, homepage, or commit provenance.