v2ex
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a straightforward V2EX API guide, but users should handle the V2EX token and any notification-deletion actions carefully.
This looks safe to install as an instruction-only V2EX API helper. Before using authenticated features, provide the token through a secure channel such as an environment variable, and tell the agent not to delete notifications unless you explicitly approve that action.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the token can access authenticated V2EX endpoints such as notifications, profile, and token information.
The skill expects the user or agent to handle an account bearer token. This is purpose-aligned for V2EX API access, but it is still delegated account authority.
V2EX API 2.0 requires a Personal Access Token for authentication... Use the token in the Authorization header: `Authorization: Bearer <your-token>`
Use a minimal-scope V2EX token if available, keep it out of chat transcripts and code, and revoke it if it may have been exposed.
If invoked unintentionally, the agent could delete V2EX notifications the user may have wanted to keep.
The skill documents an authenticated action that changes account state by deleting notifications. It is disclosed and related to notification management, but should remain user-directed.
DELETE /notifications/:notification_id ... Optionally delete notifications after reading
Require explicit confirmation before any DELETE request or other account-changing API call.