ClawHub

Call Aida App

v1.0.0

Invoke Aida chat-messages API with user-provided appid, query, and inputs to generate reports or analyze requests within Aida internal services.

0· 172·2 current·2 all-time
by夏广斌@summerloveqq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim (invoke AIDA chat-messages API) matches the included code: call_aida_app.py issues an HTTPS POST to https://aida.vip.sankuai.com/v1/chat-messages with Authorization: Bearer <appid>. The package does not request unrelated credentials or external services.
Instruction Scope
Runtime instructions describe running a script and returning the response fields. One minor inconsistency: SKILL.md instructs running 'main.py' while the repository contains 'call_aida_app.py' (other docs reference call_aida_app.py correctly). This is a documentation mismatch but not evidence of malicious behavior. The instructions and script confine actions to reading provided inputs/env vars and calling the AIDA endpoint; they do not instruct reading arbitrary system files or exfiltrating other secrets.
Install Mechanism
There is no remote installer or download. install.sh and test.sh are local helper scripts that validate syntax, optionally symlink the skill into ~/.openclaw/skills and run tests. No external code is fetched or executed during install.
Credentials
The skill does not declare required environment variables; it optionally accepts AIDA_APPID/AIDA_INPUTS/AIDA_USER which are directly relevant to the stated purpose (providing the appid/token and inputs). No unrelated SECRET/TOKEN variables or config paths are requested.
Persistence & Privilege
always:false and the skill does not modify other skills or system-wide configuration. install.sh offers to create a symlink under ~/.openclaw/skills (user-confirmed) — expected for a user-installed skill. The skill does not request elevated privileges.
Assessment
This package appears to do exactly what it claims: send inputs and an appid (used as a Bearer token) to the AIDA chat-messages endpoint and return the result. Before installing, confirm you trust the target domain (aida.vip.sankuai.com) and that the appid you provide is intended to be used as an API token. Note the minor docs mismatch (SKILL.md mentions main.py while the actual script is call_aida_app.py); review call_aida_app.py yourself if you have concerns. If you don't want outbound network calls from your agent, do not install or run the skill in an environment without network restrictions. Finally, prefer providing the appid at runtime (stdin or CLI) rather than storing tokens in long-lived environment variables unless you control the environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766aacgem75xyvq9fj536z7n82x43s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments