Avito.ru publish and chat
v1.0.0Manage Avito.ru account, items, and messenger via API. Use for listing items, checking balance, reading chats, and getting account info.
⭐ 1· 2k·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included Python scripts: auth, get account, list items, list chats, and get balance — all call plausible Avito API endpoints and are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs running the provided scripts which only contact api.avito.ru endpoints and do not access unrelated system files. However, the scripts print raw JSON (including token responses) to stdout which could be captured by agent logs or other tooling and leak secrets.
Install Mechanism
There is no install spec (no code is downloaded at runtime), which is lower risk. But SKILL.md and the scripts require the Python 'requests' library while the registry metadata does not declare this dependency — a functional/inventory mismatch that could cause failures or hidden installs by users trying to make it work.
Credentials
The skill needs Avito Client ID/Client Secret and issues/accepts access tokens, which is appropriate for the service. But the registry metadata declares no required environment variables or primary credential; SKILL.md suggests env vars or CLI args. This mismatch means the skill expects secrets but doesn't declare them to the platform, increasing risk of accidental exposure or user confusion. Also, token JSON is printed to stdout (potential leakage).
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify system or other skills, and uses only ordinary runtime calls. Autonomous invocation is enabled by default (normal) but not combined with other alarming privileges.
What to consider before installing
What to consider before installing:
- The code implements the advertised Avito actions (auth, list items/chats, balance) and calls api.avito.ru — that part looks coherent.
- The skill requires your Avito Client ID and Client Secret and will obtain/print access tokens; the registry metadata does not declare these required credentials. Only provide credentials if you trust the skill author and environment.
- Tokens and API responses are printed to stdout — they can be captured in logs. Prefer running these scripts locally in a controlled environment or modifying them to avoid printing secrets.
- The package expects the Python 'requests' library but doesn't declare it as a dependency; ensure your runtime has it rather than installing third-party packages from unknown sources.
- The skill owner and homepage are unknown; if you need this functionality, consider using an official SDK or verifying the author (or requesting the author update metadata to declare required env vars and remove/secure prints) before granting secrets.Like a lobster shell, security has layers — review code before you run it.
latest
Avito
This skill provides tools to interact with the Avito.ru API.
Requirements
requestslibrary for Python.- Avito Client ID and Client Secret.
Setup
Set your credentials in your environment or provide them when prompted.
Features
Authentication
Get an access token using your client credentials.
python3 scripts/auth.py <client_id> <client_secret>
Account Info
Get information about your account, including your user_id.
python3 scripts/get_self.py <token>
Balance
Check your account balance.
python3 scripts/get_balance.py <token> <user_id>
Items Management
List your current advertisements.
python3 scripts/list_items.py <token>
Messenger
List chats in your account.
python3 scripts/list_chats.py <token> <user_id>
Note: Messenger API access may require a specific Avito subscription.
TODO
- Implement item creation (POST /items).
- Implement item status updates (editing, deleting).
- Implement webhook registration.
- Implement messenger message sending and retrieval.
Comments
Loading comments...