iFind http API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a legitimate iFinD API wrapper, but it asks the agent to retrieve and store a sensitive iFinD refresh token, so users should review it before use.
Only install this if you are comfortable letting the agent access your iFinD account page and store a refresh token locally. Prefer giving explicit approval for token handling, use a virtual environment for dependencies, review raw endpoint calls before they run, and remove ~/.openclaw/skills/ifind/credentials.json when you no longer need the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could gain ongoing access to the user's iFinD API account through the refresh token, and the token could be exposed through command/tool logs or process arguments if handled carelessly.
This directs the agent to use an existing authenticated browser session to obtain a long-lived provider credential and store it locally. That is purpose-aligned for iFinD API access, but it is high-impact account authority and lacks a clear user-consent gate before reading an already-logged-in session.
log in with the user's existing session ... locate the `refresh_token` ... `python3 scripts/ifind_token_store.py set --token '<TOKEN>'`
Require explicit user approval before accessing the account page or reading the token, declare the credential requirement in metadata, and prefer a safer secret-entry mechanism such as a secret store or stdin prompt rather than a command-line token argument.
A mistaken or overly broad raw endpoint call could consume API quota or perform unintended iFinD account/API actions if such endpoints exist.
The CLI supports a raw endpoint mode that sends arbitrary JSON payloads to a user-specified iFinD API endpoint under the stored token. This fits the wrapper purpose, but it is broader than the safer preset commands.
endpoint.add_argument('endpoint') ... payload = json.loads(args.payload) ... return api._call_api(args.endpoint, payload)Prefer the preset commands for routine use, and require the user to review and approve raw endpoint names and payloads before calling them.
Installing dependencies may pull a newer version of requests than the author tested.
The dependency is specified with a lower bound rather than an exact version pin, so a future package version may be installed. The install step is user-directed and the dependency is purpose-aligned.
requests>=2.31.0
Install in a virtual environment and consider pinning an exact requests version if reproducibility is important.