Kimi Integration
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Kimi setup guide with expected API-key and external-provider use, but users should protect keys and review the optional test script before running it.
Before installing or following the guide, understand that it configures Clawdbot to use external Kimi/Moonshot model providers with your API keys. Store keys securely, do not paste full keys into shared logs, review the optional Bash test script before running it, and only send prompts or code that your organization permits to be processed by those providers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Moonshot or Kimi Code API key could be revealed locally if you copy troubleshooting output into a ticket or share your terminal.
The guide handles provider API keys and suggests printing them to the terminal during troubleshooting; this is purpose-related but can expose secrets in scrollback, recordings, or shared logs.
# Verify API keys echo $MOONSHOT_API_KEY echo $KIMICODE_API_KEY
Avoid printing full keys; use masked checks such as `echo ${MOONSHOT_API_KEY:+set}` and rotate any key that may have been exposed.
When enabled, prompts and context sent to the configured model provider may leave your local Clawdbot environment and be handled by Moonshot/Kimi services.
The configuration routes Clawdbot model traffic to an external provider using a user-supplied API key, which is expected for this integration but changes where future prompts are processed.
"baseUrl": "https://api.moonshot.cn/v1",
"apiKey": "${MOONSHOT_API_KEY}",
"api": "openai-completions"Use this only for data you are allowed to send to those providers, and review provider privacy, retention, and billing terms.
Running the script will contact the Kimi/Moonshot APIs, use your API key, and may create provider-side request records or usage charges.
The optional test script performs outbound API calls with the configured credential; this matches the stated connection-test purpose and is not installed or run automatically.
curl -s -X POST "https://api.moonshot.cn/v1/chat/completions" \
-H "Authorization: Bearer $MOONSHOT_API_KEY"Inspect the script before running it and execute it only when you intentionally want to test the provider connection.