Aixin-agentID-chat

This skill generally does what it claims (agent registration, friend add, messaging), but there are clear red flags you should address before installing or using it with real/important accounts: - Endpoint inconsistency: SKILL.md insists on https://aixin.chat, but README contains a raw IP and the code allows AIXIN_SERVER to override the host. An attacker or misconfiguration could redirect credentials and messages to another server. Verify the canonical server and remove/lock any env-var override before use. - Sensitive data handling: The skill stores the account password and JWT token in plaintext at ~/.aixin/profile.json and will auto-login using the stored password. If you use real passwords, they will be stored locally unencrypted. Consider using a throwaway account, or modify the code to avoid storing plaintext passwords (use OS keyring/encryption or avoid saving the password). - System prompt leakage: The skill extracts 'bio' from the system_prompt and sends it to the backend. Do not allow confidential system prompts or sensitive information in the system prompt when using this skill; ideally scope or sanitize what is sent. - Verify ownership: Because the package source is 'unknown' and README references an IP, try to verify the vendor (aixin.chat) and the repository maintainer before trusting it. If possible, ask the author to remove the IP, document the host, and explain why AIXIN_SERVER is overrideable. - Mitigations: run the skill in an isolated environment (sandbox or container), inspect/modify main.py to remove env-var host override and to stop saving plaintext passwords, monitor outbound connections (to confirm it's only talking to a verified host), and avoid registering with any account credentials you care about until you've audited the behavior. If the author can confirm a single canonical host (and remove or document the README IP and env-var override) and change the code to avoid plaintext password storage, the concerns would be substantially reduced.