ClawHub

Account & Authentication

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

The agent may submit your login details and tokens to the configured API and can change account authentication settings when you ask it to.

Why it was flagged

The skill is explicitly designed to handle account credentials, bearer/refresh tokens, and authenticated account changes.

Skill content
`login` — Login with email and password ... `refresh_token` — Refresh an expired access token using a refresh token ... `update_password` — Change account password ... `link_wallet`
Recommendation

Use this only with the intended AIOT account, verify the API base URL, and provide passwords, OTPs, or wallet signatures only for actions you explicitly requested.

NoteMedium Confidence
ASI02: Tool Misuse and Exploitation
What this means

An unintended call could reset credentials, remove a wallet link, unlock an account, or terminate sessions.

Why it was flagged

The documented API actions can mutate account state. They are aligned with the account-management purpose, but they are high-impact if invoked for the wrong account or without user intent.

Skill content
`reset_password` — Reset account password ... `unlock_account` — Unlock a locked account ... `unlink_wallet` — Remove a linked Web3 wallet ... `logout_all` — Logout from all sessions
Recommendation

Confirm the target account and the specific requested action before using password, wallet, unlock, or logout-all flows.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If the environment variable is not set, credentials and authentication requests may be sent to the default API host.

Why it was flagged

The fallback remote endpoint is disclosed, but it is a development-looking API host used for all account-authentication requests, so provenance and environment should be verified.

Skill content
The default API base URL is `https://payment-api-dev.aiotnetwork.io` ... If `AIOT_API_BASE_URL` is not set, use `https://payment-api-dev.aiotnetwork.io` as the base for all requests.
Recommendation

Set AIOT_API_BASE_URL explicitly to the trusted production or intended environment before using the skill.