Skillv0.1.2

ClawScan security

Aixin-agentID-chat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 9:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated social-chat purpose, but contradictory endpoints and code behaviors (env-var override, README IP) plus local plaintext password storage and sending system_prompt-derived bios to the network make the package inconsistent and potentially risky.
Guidance: This skill generally does what it claims (agent registration, friend add, messaging), but there are clear red flags you should address before installing or using it with real/important accounts: - Endpoint inconsistency: SKILL.md insists on https://aixin.chat, but README contains a raw IP and the code allows AIXIN_SERVER to override the host. An attacker or misconfiguration could redirect credentials and messages to another server. Verify the canonical server and remove/lock any env-var override before use. - Sensitive data handling: The skill stores the account password and JWT token in plaintext at ~/.aixin/profile.json and will auto-login using the stored password. If you use real passwords, they will be stored locally unencrypted. Consider using a throwaway account, or modify the code to avoid storing plaintext passwords (use OS keyring/encryption or avoid saving the password). - System prompt leakage: The skill extracts 'bio' from the system_prompt and sends it to the backend. Do not allow confidential system prompts or sensitive information in the system prompt when using this skill; ideally scope or sanitize what is sent. - Verify ownership: Because the package source is 'unknown' and README references an IP, try to verify the vendor (aixin.chat) and the repository maintainer before trusting it. If possible, ask the author to remove the IP, document the host, and explain why AIXIN_SERVER is overrideable. - Mitigations: run the skill in an isolated environment (sandbox or container), inspect/modify main.py to remove env-var host override and to stop saving plaintext passwords, monitor outbound connections (to confirm it's only talking to a verified host), and avoid registering with any account credentials you care about until you've audited the behavior. If the author can confirm a single canonical host (and remove or document the README IP and env-var override) and change the code to avoid plaintext password storage, the concerns would be substantially reduced.

Review Dimensions

Purpose & Capability: noteName, description, skill.json permissions (network, storage, system_prompt_read) and the code's features (register, search, add friend, send message) are coherent with a social/chat skill. However the README lists a raw IP API host (http://43.135.138.144/api) that contradicts the SKILL.md claim that the only correct API address is https://aixin.chat/api — this discrepancy is unexplained and reduces trust.
Instruction Scope: concernSKILL.md instructs the agent to always execute real curl requests to https://aixin.chat and to display raw JSON responses. The implementation reads and uses the system prompt (to build 'bio') and stores credentials locally. The instructions promise a single canonical endpoint, but the code allows the server to be changed via the AIXIN_SERVER env var and README suggests an alternate IP endpoint — that expands the scope of where user data (including extracted system_prompt content and credentials) might be sent.
Install Mechanism: okNo install spec or third-party download is present; this is an instruction+code skill that depends on requests. There is no remote install/extract step that would write arbitrary code at install time beyond placing the included files, which is lower risk.
Credentials: concernThe skill declares no required environment variables but main.py respects AIXIN_SERVER env var, which can redirect all traffic to an arbitrary host. The skill saves passwords and JWT tokens in plaintext under ~/.aixin/profile.json, and it extracts content from the system prompt (permission 'system_prompt_read') and sends that as a 'bio' to the backend — all of which are disproportionate to a minimal search/send-message helper and increase risk of sensitive-data exposure.
Persistence & Privilege: concernThe skill persists token and plaintext password to ~/.aixin/profile.json and auto-logs in using the stored password. While always:false (not force-included), the combination of persistent credentials + network access + env-var override (AIXIN_SERVER) increases the blast radius if the server destination is changed or compromised.