Account & Authentication
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: aiotnetwork-account-auth Version: 1.0.1 The skill bundle provides standard authentication and account management functionality for the AIoT Network, including email/OTP, Web3 wallet login, and session management. The instructions in SKILL.md are security-conscious, explicitly directing the AI agent to avoid logging or persisting sensitive secrets like passwords and PINs. All tools and endpoints are consistent with the stated purpose of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may submit your login details and tokens to the configured API and can change account authentication settings when you ask it to.
The skill is explicitly designed to handle account credentials, bearer/refresh tokens, and authenticated account changes.
`login` — Login with email and password ... `refresh_token` — Refresh an expired access token using a refresh token ... `update_password` — Change account password ... `link_wallet`
Use this only with the intended AIOT account, verify the API base URL, and provide passwords, OTPs, or wallet signatures only for actions you explicitly requested.
An unintended call could reset credentials, remove a wallet link, unlock an account, or terminate sessions.
The documented API actions can mutate account state. They are aligned with the account-management purpose, but they are high-impact if invoked for the wrong account or without user intent.
`reset_password` — Reset account password ... `unlock_account` — Unlock a locked account ... `unlink_wallet` — Remove a linked Web3 wallet ... `logout_all` — Logout from all sessions
Confirm the target account and the specific requested action before using password, wallet, unlock, or logout-all flows.
If the environment variable is not set, credentials and authentication requests may be sent to the default API host.
The fallback remote endpoint is disclosed, but it is a development-looking API host used for all account-authentication requests, so provenance and environment should be verified.
The default API base URL is `https://payment-api-dev.aiotnetwork.io` ... If `AIOT_API_BASE_URL` is not set, use `https://payment-api-dev.aiotnetwork.io` as the base for all requests.
Set AIOT_API_BASE_URL explicitly to the trusted production or intended environment before using the skill.