Ainative Api Discovery
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only AINative API reference; it does not install or run code, but users should protect API keys and review any account-changing API calls.
This skill appears safe as an instruction-only API reference. Before using generated examples, confirm which endpoint will be called, protect any AINative API key or bearer token, and be especially careful with billing, admin, upload, memory, and DELETE/PUT/POST operations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user pastes real keys into prompts, logs, or generated scripts, those keys could be reused to access their AINative account.
The skill documents use of API keys and bearer tokens for AINative account access. This is expected for an API reference, but these credentials can authorize account actions if exposed or misused.
All public endpoints require an API key: ... X-API-Key: ak_your_key_here ... Or Bearer token (for user sessions)
Use least-privilege API keys where available, keep tokens out of prompts and shared logs, and rotate any key that may have been exposed.
Accidentally running generated POST, PUT, or DELETE requests could change account state or remove data.
The endpoint catalog includes mutating operations that could change billing, developer settings, or stored data if invoked. The artifact presents them as documentation rather than automatic actions, so this is a notice rather than a concern.
`/api/v1/billing/subscribe` | POST | Subscribe to a plan ... `/api/v1/echo/markup` | PUT | Set your markup rate (0-40%) ... `/api/v1/public/memory/v2/forget` | DELETE | Remove memories
Treat the listed endpoints as reference material and require explicit user confirmation before making account-changing API calls.
Sensitive information sent to memory endpoints could be stored, recalled, or used to build a profile.
The skill documents external memory endpoints that can store, recall, and profile user data. This is purpose-aligned API documentation, but users should understand that data sent to those endpoints may persist and influence later results.
`/api/v1/public/memory/v2/remember` | POST | Store a memory ... `/api/v1/public/memory/v2/profile` | GET | Build user profile from memories
Only send intended data to memory endpoints, avoid secrets or highly sensitive personal data, and use forget/delete endpoints when retention is no longer desired.