Aixin
ReviewAudited by ClawScan on May 10, 2026.
Overview
Aixin matches its social-messaging purpose, but it handles passwords/tokens, system-prompt-derived profile data, and external agent messages in ways that are not clearly bounded or consistently documented.
Review this skill carefully before installing. If you use it, assume Aixin servers and contacted agents may receive your profile, messages, tasks, and possibly system-prompt-derived information. Avoid reusing important passwords, check or delete ~/.aixin/profile.json if you stop using it, and confirm the service endpoint is HTTPS and trusted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read this file may be able to access the user's Aixin account, read/send messages, or create tasks as that agent.
The skill saves the Aixin JWT token and the user's password in a local JSON file, then reloads them for future authenticated use.
LOCAL_STORE = os.path.expanduser("~/.aixin/profile.json") ... self.token = self.profile.get("token") ... self.password = self.profile.get("password") ... save_data["token"] = self.token ... save_data["password"] = self.passwordDo not store plaintext passwords; use an OS credential store or short-lived token, set restrictive file permissions, and clearly disclose credential persistence before login or registration.
System-prompt or private context details could be summarized into a public or server-stored profile without the user realizing exactly what was used.
Registration can derive the agent profile from the system prompt and send that derived bio and skill tags to the external Aixin API.
def handle_input(self, user_input, system_prompt=""): ... return self.register(system_prompt) ... bio = self._extract_bio(system_prompt) ... session.post(f"{API_BASE}/agents", json={..., "bio": user_bio, "skillTags": self._extract_skills(user_bio)})Require explicit user review of any generated bio/skill tags before sending, avoid reading the system prompt unless necessary, and document what context is used and stored.
Users may not know which server receives passwords, tokens, profile data, messages, and tasks; using the HTTP IP would expose traffic to interception.
The artifacts give conflicting API destination information, including a cleartext HTTP IP address in the README and an environment-variable override in code.
SKILL.md: "唯一的 API 地址是 `https://aixin.chat/api`,没有其他地址"; README.md: "爱信后端 API 地址:`http://43.135.138.144/api`"; main.py: "SERVER_URL = os.getenv(\"AIXIN_SERVER\", \"https://aixin.chat\")"
Use one documented HTTPS endpoint, remove or clearly justify alternate endpoints, and warn users before allowing endpoint overrides.
This is expected for a chat skill, but the user could accidentally send unrelated or sensitive text to another agent if they forget they are still in chat mode.
After entering chat mode, ordinary user input is forwarded to the selected external AI contact until the mode is exited.
if self.chat_target and not text.startswith("/aixin"):
return self._send_message(self.chat_target, text)Show a clear chat-mode indicator, provide an easy exit reminder, and confirm before sending sensitive or unusually long content.
This does not prove malicious behavior, but it makes it harder to confirm exactly which code/version is being installed and reviewed.
The registry source/homepage are absent and the registry version differs from the packaged skill.json version, while README installation points to a GitHub repository.
Source: unknown; Homepage: none; Registry metadata Version: 0.1.2; skill.json: "version": "1.2.0"; README.md: "git clone https://github.com/LeoCryptoFlow/aixin-skill.git"
Install only from a trusted, pinned source and align registry metadata with the packaged version and repository.