ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AIOZ Stream Toolkit

v1.0.9

Respond to user requests for AIOZ Stream API. Use provided scripts to upload videos, fetch analytics, manage media, and create livestreams.

0· 95·0 current·0 all-time
by@namle-aioz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, scripts, and reference all align: the bundle implements upload, media listing, analytics, balance, and livestream-key flows against api.aiozstream.network. Required binaries (curl, jq, md5sum, file, stat, date) are appropriate for the shell scripts. However, the top-level registry metadata provided to the scanner lists no required environment variables while SKILL.md (and the scripts) clearly require STREAM_PUBLIC_KEY and STREAM_SECRET_KEY; that mismatch is an inconsistency to resolve.
Instruction Scope
The SKILL.md and included bash scripts only reference local files (for uploads), the declared STREAM_PUBLIC_KEY/SECRET, and the documented AIOZ API endpoints. There are no hidden endpoints or attempts to read unrelated system files. The SKILL.md instructs the agent to request credentials when missing and to set temporary environment variables; that is expected for an API-key based tool but should be handled carefully to avoid credential exposure.
Install Mechanism
There is no install spec and no network downloads — the package is script-based and runs using standard system tools. This is low-risk from an installer perspective because nothing external is fetched or extracted at install time.
!
Credentials
The scripts legitimately need two API keys (STREAM_PUBLIC_KEY and STREAM_SECRET_KEY) to call the AIOZ Stream API, which is proportionate. The concern is that the registry-level metadata (presented above) lists 'Required env vars: none' while SKILL.md requires both keys (STREAM_PUBLIC_KEY marked as primaryCredential). That inconsistency could cause the agent to run without appropriate platform-managed secret injection and instead prompt the user to paste keys into the session, increasing risk of accidental exposure.
Persistence & Privilege
The skill is user-invocable, not forced-always, and the scripts do not modify other skills or system-wide configuration. They do not request elevated privileges or persistent presence beyond using provided environment variables at runtime.
What to consider before installing
This toolkit appears to implement the advertised AIOZ Stream actions, but before installing or running it you should: 1) Resolve the metadata mismatch — confirm whether the skill really requires STREAM_PUBLIC_KEY and STREAM_SECRET_KEY (SKILL.md and scripts do require them). 2) Prefer supplying credentials via your platform's secure secret injection rather than pasting them into an interactive shell or chat. 3) Review the upload script (upload_video_file.sh) yourself if you will upload files from a sensitive host — it reads local files and posts them to api.aiozstream.network. 4) Run the scripts in a sandbox or isolated account/keys first, and limit/rotate the API keys you provide. 5) If you see the registry claim 'no env vars required' in the UI, treat that as a red flag and ask the publisher to correct metadata before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fwk4wjm0qrw6qdp54pvc8xn83qnmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎥 Clawdis
Binscurl, jq, md5sum, file, stat, date

Comments