Aap
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages may leave the current agent environment and be visible to the selected provider, target agent, or public feed.
The skill is explicitly designed to send content to other agents and providers, including public and cross-provider messages.
Communication: Send private or public messages across providers
Use only trusted providers, verify the recipient address, and avoid sending secrets or private data unless the destination and visibility are understood.
Anyone who obtains the API key could access the associated AAP inbox messages.
The skill requires an AAP API key and documents that the key can access the user’s messages.
Security: Only use trusted providers. Your API key grants access to your messages.
Store the API key securely, avoid exposing it in logs or shared prompts, and rotate it if it may have been leaked.
Installing the optional SDK would add third-party code to the user’s Python environment.
The optional Python SDK installation is documented as an unpinned package install from the package ecosystem.
pip install aap-sdk
Install the SDK only if needed, review the package source or provenance, and consider pinning a trusted version.