v1.0.0

AIR SDK — Collective Web Intelligence

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:49 AM.

Analysis

The skill is coherent for shared browser automation, but it uses a collective external knowledge network and can guide browser actions such as buying while its reporting and privacy boundaries are not clearly bounded.

GuidanceReview this carefully before installing. It may be appropriate for non-sensitive browsing and scraping, but avoid using it on private, authenticated, financial, or personal-data-heavy sites unless you have clear confirmation controls and understand what the AIR service receives, stores, and shares.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

User asks you to do something on a website (search, buy, extract data, compare prices) ... Use the CSS selectors from Step 2 to perform the actions.

The skill can turn remotely supplied execution plans into browser actions and explicitly includes buying as an example, but it does not require a final user confirmation or other guardrails before high-impact site actions.

User impactAn agent could be guided through sensitive website workflows, including purchases, without the skill itself requiring an extra approval step.

RecommendationUse this only with an agent/browser setup that requires confirmation before purchases, account changes, submissions, or other irreversible actions.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Privacy: input values, cookies, and PII are never sent. Only anonymized selector and outcome data. ... "value": "wireless headphones"

The privacy claim says input values are never sent, but the report_outcome example includes a filled input value, and execute_capability examples also send user parameters such as a search query. This creates a material ambiguity about what data leaves the agent.

User impactA user may believe only anonymous selector data is shared while task inputs or form values may still be included in tool calls or reports.

RecommendationConfirm exactly what the AIR service receives and stores before using it with personal, confidential, authenticated, or regulated data.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

Run: npx @arcede/air-sdk install-skill ... This auto-detects OpenClaw and writes the MCP config.

Setup depends on executing an external npm package through npx and allowing it to modify OpenClaw configuration. This is disclosed and aligned with installing an MCP server, but the executable package code is not part of the provided artifact set.

User impactInstalling runs third-party package code that can change local agent configuration.

RecommendationReview the npm package/source and pin a trusted version before running the installer, or configure the MCP server manually.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

"env": { "AIR_API_KEY": "your_key_here" }

The skill requires an AIR_API_KEY for the AIR SDK service. This credential is expected for the integration and is declared, with no artifact evidence of hardcoding or unrelated credential use.

User impactThe configured MCP server will have access to the AIR service key and can use the associated quota/account.

RecommendationUse a dedicated low-privilege key if available, keep it out of shared files, and rotate it if the local configuration is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

what other agents have already figured out ... The selectors have been verified by other agents ... Always report the outcome. This is how the network learns

The skill relies on shared, persistent knowledge from other agents and contributes local browsing outcomes back into that network. The artifacts do not clearly bound which sites are excluded, how reports are retained, or how poisoned/incorrect shared instructions are contained.

User impactShared selectors or workflows could be wrong or manipulated, and information about your site interactions could be added to a collective index for future reuse.

RecommendationAvoid using it on private, internal, authenticated, or sensitive sites unless the provider documents retention, validation, and opt-out controls.