AIOZ Stream Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent AIOZ API integration, but it asks for AIOZ secret keys and can manage account resources, so users should verify the source and use limited credentials.
Install only if you intend to let the agent manage your AIOZ Stream account. Verify the API domain and publisher, use a limited or temporary key if possible, confirm high-impact actions before they run, and rotate the secret key after use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing the secret key may allow the agent to perform AIOZ account actions such as managing media, webhooks, analytics, or payment-related resources.
The skill requires delegated AIOZ account credentials before API use. This is expected for the integration, but it gives the agent authority to act on the user's AIOZ account.
Clawbot must collect the user's API credentials... AIOZ Stream Public Key... AIOZ Stream Secret Key
Use the least-privileged or temporary AIOZ key available, only provide it when you intend to manage that account, and rotate it after the session.
The secret key may remain available within the active session and could be exposed if the session transcript or context is shared.
The AIOZ secret key is kept in the agent session context so it can be reused across requests. This is disclosed, but it is sensitive session state.
Store them in session as `$AIOZ_PUBLIC_KEY` and `$AIOZ_SECRET_KEY` for use in all subsequent requests.
Avoid sharing session logs that include credentials, clear the session when done, and rotate the key if it may have been exposed.
Mistaken or overbroad API calls could change AIOZ account resources or uploaded media.
The skill documents broad API-management authority, including potentially account- or payment-impacting resources. This aligns with the stated purpose but should be user-controlled.
Interact with the AIOZ Stream API to manage videos, audio, playlists, players, webhooks, analytics, payments, chapters, and transcripts
Confirm details before uploads, webhook changes, payment-related actions, deletions, or other irreversible account changes.
A user browsing only the registry metadata may not realize the skill will ask for an API secret key.
The registry-facing metadata does not advertise a credential requirement, while SKILL.md requires collection of AIOZ public and secret keys before API actions. This appears to be under-declaration rather than hidden exfiltration.
Required env vars: none; Env var declarations: none; Primary credential: none
The publisher should declare the AIOZ credential requirement in metadata; users should read the full skill instructions before providing keys.
Users have less information to verify whether this is an official or trusted AIOZ integration.
The artifact metadata does not provide an official source or homepage. There is no install code to inspect, but provenance matters for a skill that requests API secrets.
Source: unknown; Homepage: none
Verify the API domain and skill publisher against official AIOZ Stream documentation before entering credentials.