AIOZ Storage Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
No malicious behavior is evident; this appears to be an AIOZ site-deployment helper, but it handles sensitive AIOZ credentials and creates storage grants and website changes.
Use this only if you trust the skill and intend to let it deploy to your AIOZ Storage account. Be ready to provide AIOZ login and bucket secrets, review any downloaded template or custom files before upload, choose the narrowest grant permissions and expiry that work, and revoke provider credentials when no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent session will temporarily have enough information to act on the user's AIOZ Storage account.
The skill asks the agent to handle the user's provider password and bearer token. This is expected for an AIOZ deployment workflow, but it is sensitive account access.
Ask user for AIOZ Storage email and password. ... Response: `data.access_token` ... Store `BEARER_TOKEN` and `ACCOUNT_ID`.
Only use this with an AIOZ account you intend to deploy from, verify the API endpoint, avoid reusing the password elsewhere, and revoke or rotate credentials if you are unsure.
A broad or non-expiring grant could allow continued access to storage after the immediate deployment is complete.
The helper can generate storage grants with no expiry and with write/delete-capable permissions. That is aligned with deployment, but users should notice the scope and lifetime.
--duration <ms> Duration in ms (0 = no expiry) ... --permissions <ops> Comma-separated: 1=Read,2=Write,3=List,4=Delete
Prefer bucket-scoped grants, minimal permissions, and a finite duration when possible; confirm before registering credentials or uploading content.
The deployed template may differ from what was previously reviewed if the remote repository changes.
The skill downloads templates from a live GitHub repository rather than a pinned commit. This is normal for template use, but the fetched content can change over time.
git clone --depth 1 https://github.com/AIOZStorage/aioz-storage-docs.git /tmp/aioz-storage-docs
Review the downloaded template files before publishing, or pin/review a specific commit if reproducibility matters.
Using the skill may execute the included grant-generation code on the user's machine.
The skill runs a local TypeScript helper to generate grants. This is central to the stated purpose and the static scan reported no suspicious patterns, but it is still local code execution.
"scripts": { "grant": "npx ts-node grant-cli.ts" }Run it only from a trusted copy of the skill and prefer installing dependencies from the provided lockfile.