ClawHub
Back to skill
v1.0.0

infini-api

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This instruction-only skill is coherent and sandbox-first, but users should handle Infini API secrets carefully and avoid sending real webhook data to temporary testing services.

GuidanceThis skill appears appropriate for learning Infini API integration. Before using it, plan to work in sandbox first, keep your secret_key private and server-side, avoid sharing production credentials in chat, and use webhook.cool only for temporary sandbox testing with non-real data.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
references/workflow.md
Tell the user to prepare:

- `key_id`
- `secret_key`

... `secret_key` is the password part and must stay on the server

The skill asks the user to obtain and use Infini API credentials. This is expected for a payment API integration, but those credentials can authorize account actions if mishandled.

User impactIf the API secret is exposed or used in the wrong place, someone could potentially act against the user's Infini merchant account.
RecommendationUse sandbox keys first, keep the secret key server-side, do not commit it to source control, and avoid pasting real production secrets into chat.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
references/workflow.md
First guide the user to use `webhook.cool` for a quick sandbox callback test:

- open `https://webhook.cool`
- create a temporary webhook URL
... confirm that a callback arrives and the user can see the event body and headers

The skill recommends routing webhook callbacks through a third-party temporary receiver during sandbox testing. This is useful and disclosed, but the receiver can see webhook body and header data.

User impactWebhook event contents and headers may be visible to the temporary webhook service during testing.
RecommendationUse webhook.cool only with sandbox/test data, do not send production customer or payment data there, and replace it with your own backend webhook endpoint before going live.