Avito Pro
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given Avito credentials, it could act on customer chats or paid/listing-related services in ways the user did not intend.
The skill documents Avito API operations that can send messages and apply paid/additional account services, but the artifact does not specify user confirmation or limiting rules before these account-changing actions.
Отправить сообщение: POST /messenger/v1/accounts/{user_id}/chats/{chat_id}/messages ... Применение доп. услуг (VAS): POST /vas/v1/accounts/{user_id}/vasUse this skill only with explicit per-action approval for message sending, image uploads, webhook changes, and VAS/service application; prefer read-only scopes unless a write action is specifically requested.
Anyone or any agent with these tokens may be able to read account data or perform actions allowed by the granted Avito scopes.
The skill requires Avito OAuth credentials and bearer tokens, which is expected for this API integration, but those credentials grant real account access.
client_id: Ваш Client ID ... client_secret: Ваш Client Secret ... Все запросы должны содержать заголовок Authorization: Bearer <ACCESS_TOKEN>
Keep Client Secret and access tokens out of chat history when possible, grant only the minimum required scopes, and revoke or rotate tokens after use.
If configured with the wrong destination, Avito chat events could be sent to an unintended or untrusted server.
Webhook endpoints are part of the documented Avito messenger integration and can create an ongoing channel for chat events to a configured callback endpoint.
Вебхуки (Webhooks): Подписка: POST /messenger/v1/webhook; Отписка: POST /messenger/v1/webhook/unsubscribe
Only subscribe webhooks to callback URLs you control, document the destination, and unsubscribe when the integration is no longer needed.