Avito.ru publish and chat
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: avito Version: 1.0.0 The skill bundle is benign. All Python scripts (`auth.py`, `get_balance.py`, `get_self.py`, `list_chats.py`, `list_items.py`) interact exclusively with the legitimate Avito API domain (`api.avito.ru`) to perform account management tasks as described. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation. The `SKILL.md` file provides clear instructions for using the skill and does not contain any prompt injection attempts or instructions for the AI agent to perform actions outside the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill will need to provide Avito credentials or tokens, which can allow reading account information, balances, listings, and chats.
The skill requires Avito API credentials and uses them to obtain an access token, giving the agent delegated access to the user's Avito account data.
- Avito Client ID and Client Secret. ... python3 scripts/auth.py <client_id> <client_secret>
Use a dedicated, least-privileged Avito API credential if possible, avoid pasting secrets into shared chats or logs, and revoke the token or secret if it is exposed.
Access tokens or secrets could be more easily copied, logged, or retained outside Avito if handled through command-line arguments and plain output.
The authentication helper takes credentials from command-line arguments and prints token data to stdout, which is functional but may expose secrets in shell history, process listings, terminal output, or agent logs.
token_data = get_token(sys.argv[1], sys.argv[2]) print(json.dumps(token_data))
Prefer environment variables, a secret manager, or a safer wrapper that avoids command-line secret arguments and redacts tokens from logs.
Users have less provenance information for deciding whether to trust the skill and must install or verify dependencies themselves.
The provided artifacts include the source files, but the package provenance and homepage are not identified, and the Python dependency is only documented in SKILL.md rather than managed by an install spec.
Source: unknown Homepage: none ... No install spec — this is an instruction-only skill.
Review the included scripts before use and install dependencies only from trusted package sources.