ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AIOT Network

v1.0.1

Meta-skill that indexes all AIOT platform skills and routes agent requests to the correct sub-skill.

0· 94·0 current·0 all-time
by@d9m1n1c
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a routing/index meta-skill and the files reflect that (skill index, delegation guidance, install script). Requiring an API base URL is reasonable if the router must construct or validate backend endpoints, but declaring AIOT_API_BASE_URL as the "primary credential" is odd because it is a URL (not a secret) and the SKILL.md does not explain why the router itself needs direct API access rather than delegating entirely to sub-skills.
!
Instruction Scope
Runtime instructions are narrowly scoped to routing, dependency chains, and installing sub-skills. However, the SKILL.md instructs agents to use a default base URL (https://payment-api-dev.aiotnetwork.io) when AIOT_API_BASE_URL is not set — that means an agent could make network requests to this dev endpoint by default, potentially transmitting user data to an unknown host. The guidance to always refer to sub-skills for implementation details leaves ambiguity about where network calls and data handling actually occur.
Install Mechanism
No external downloads or packaged installs; the included scripts/install.sh simply invokes the platform installer (clawhub) for each named sub-skill. This is low-risk compared with arbitrary URL downloads. The script fails the run if any install fails and otherwise performs straightforward installs.
!
Credentials
Only one environment variable is requested (AIOT_API_BASE_URL), which is proportional in quantity. But labeling a base URL as the primary credential is unusual. More importantly, the default value is a development domain under aiotnetwork.io; if users don't override it, traffic may be sent to that domain. The skill does not declare any secrets (tokens, keys), but the default endpoint could still receive sensitive data from sub-skills.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does install other skills via the user-run script, which is expected for a meta-skill. It does not modify other skills' configs or claim system-wide changes.
What to consider before installing
This skill is a meta-router that installs and delegates to several AIOT sub-skills. Before installing: 1) Decide whether you trust the aiotnetwork owner — the source/homepage are unknown. 2) Explicitly set AIOT_API_BASE_URL to a trusted endpoint (or review what the sub-skills will call) because the SKILL.md falls back to a dev URL (https://payment-api-dev.aiotnetwork.io) which could receive user data if left unchanged. 3) Review each sub-skill you plan to install (account-auth, kyc, payments, crypto, etc.) for their required credentials and behaviors — installing this meta-skill may pull in multiple capabilities that request additional secrets. 4) If you don't want network traffic sent to an unknown domain, do not install or run the skill until you can confirm the intended backend endpoints and trust the owner.

Like a lobster shell, security has layers — review code before you run it.

latestvk97es946b2r98c3115rr91z50s8387x3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIOT_API_BASE_URL
Primary envAIOT_API_BASE_URL

Comments