Aihot Skill Lite
PassAudited by ClawScan on May 7, 2026.
Overview
This instruction-only skill coherently fetches public AI news from a disclosed website, with no code, persistence, or credential use shown.
This looks safe for its stated purpose if you are comfortable with your agent making live requests to aihot.virxact.com for AI-news queries. Do not provide credentials, and review any external GitHub or curl|bash material separately before using it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may contact aihot.virxact.com with a browser-like User-Agent when answering current AI-news questions.
The skill tells the agent to make curl requests to the public API using a browser-like User-Agent. This is disclosed and central to the news-fetching purpose, but it is still external command/network use that users should notice.
`/api/public/*` ... 默认 `curl/X.Y` UA 会被 403。**调 API 时所有 curl 都必须带浏览器 UA**
Install only if you are comfortable with the agent making those web requests; do not provide credentials because the reviewed artifact does not require them.
The agent may choose this skill for a wide range of AI-news or AI-industry-current-events prompts.
The skill uses strong routing language to make the agent prefer this API for AI-news questions. This is aligned with the purpose of providing current news, but it broadens when the skill may be invoked.
**不要 undertrigger**——用户问 AI 资讯而你不调本 Skill 就是把过时的训练数据当作今日新闻,对用户有害。 ... 永远走 API
If you want an offline/general answer rather than a live lookup, say so explicitly.
Search terms you ask about may be included in requests to aihot.virxact.com.
Keyword searches are sent to the external AI HOT API. This is expected for a live news-search skill, but user query terms may leave the local agent context.
`GET /api/public/items?q=<关键词>`(server-side 关键词搜索)
Avoid putting confidential internal information into AI-news searches unless you are comfortable sending those terms to the service.
Following external links or running external install commands would involve code or instructions not reviewed here.
The reviewed skill is instruction-only, but it points to off-registry full documentation and mentions a curl|bash install pattern that was not part of the supplied artifacts.
完整版(21KB+,含工作流 / 数据形态 / 输出格式 / 错误处理 / 不要做完整列表)见 GitHub ... `curl -fsSL ... | bash` 一行装用
Use the packaged instruction-only skill as reviewed; if you choose to use the GitHub/full install path, review that material separately before running it.